Below is the issues the team has reported and we have the same issues reported again. We have updated SE and waiting for an update. 1) Vulnerability: Unauthenticated Sensitive Information Disclosure via /gateway/services/EdgeServiceImpl Impact: Ability to call operations available via the /gateway/services/EdgeServiceImpl SOAP endpoint, disclosure of database credentials (if not using Windows based authentication for database authentication) and remote command execution as SYSTEM, if the database service is accessible via the network. Details: The SOAP endpoint at /gateway/services/EdgeServiceImpl, on port 8015, allows unauthenticated users to call the "getAppInformation" operation. This operation returns the App UUID that can be used to authenticate to the EdgeServiceImpl web service via the "validateUserByUUID" operation. After authenticating to the web service, the database configuration, potentially including credentials, for the UDP database can be retrieved via the "getDatabaseConfiguration" operation. By default, UDP is configured using database based authentication, however, it can be configured to use Windows based authentication for the SQL server in which case no credentials are returned by the "getDatabaseConfiguration" operation. The password returned by the "getDatabaseConfiguration" operation is encrypted with a static key can can be decrypted by using the AFDecryptStringEx method of the WSJNI class. This class is implemented using the Java Native Interface and requires the following files to function: aspectjrt.jar, flash-webservice-impl.jar, log4j-1.2.15.jar, jsxml.dll, NativeFacade.dll, Log.dll, HyperVMgr.dll, HaVHDUtility.dll, HaUtility.dll, HaCommonFunc.dll, DTraceLib.dll, DRCore.dll, CryptoWrapperDll.dll, CatalogMgrDll.dll, Catalog.dll, ArcFlashLicense.dll, AFXmlParser.dll, AFStorHBAMgmt.dll, AFStor.dll, AFSessMgr.dll, AFCoreInterface.dll, AFCoreFunction.dll, AFCommFunc.dll, zlib10.dll, vhdxparserlib.dll, msvcr120.dll, msvcp120.dll, and WmiWrapper.dll. Additionally, the encrypted database password is prefixed with the string "\u+00Arcserve" which should be removed prior to decrypting the string. If the database service is accessible remotely (i.e. not blocked by the firewall, it listens on all interfaces by default), it can be leveraged to execute arbitrary code by utilizing the "xp_cmdshell" stored procedure. It must first be re-enabled, as it's disabled by default, but it is trivial to re-enable it remotely. The "xp_cmdshell" stored procedure can be used to execute arbitrary commands as SYSTEM. Info disclosure POC: database_config_disclosure_poc.py 2) Vulnerability: Unauthenticated XXE in /management/UdpHttpService Impact: Possible information disclosure. Details: Requests to the /management/UdpHttpService endpoint are handled by the "UdpHttpService" servlet and do not require authentication. Requests to this endpoint need to be prefixed by a four byte action code, four byte length value, and followed by a UTF16 little endian encoded XML string. Requests with an action code of 1 are handled by the "GetUpdateInfoHandler" class and an action code of 2 is handled by the "ReportGatewayUpdateStatusHandler" class. Both of these classes call "JAXB.unmarshal" on the user supplied XML payload without validating it and without disabled XML external entities. This could potentially allow an attacker to read files from the system hosting the UDP application. POC: UdpHttpService_XXE_poc.py 3) Vulnerability: Unauthenticated Sensitive Information Disclosure via /UDPUpdates/Config/FullUpdateSettings.xml Impact: If a proxy, that requires credentials, is configured for UDP updates, this file would disclose the username and password for the proxy. Details: The https://<Arcserver UDP Host>:8015/UDPUpdates/Config/FullUpdateSettings.xml URL does not require authentication to access and contains the username and encrypted password for the proxy used for UDP updates, if configured. The password is encrypted with a static key and can be decrypted via the AFDecryptString method of the com.ca.arcserve.edge.app.base.jni.BaseWSJNI class. AFDecryptString is implemented via the Java Native Interface and depends on edge-app-base-dll-loader.jar, ARCserveEdgeLicense.dll, ASNative.dll, msvcp120.dll, and msvcr120.dll. 4) Vulnerability: Reflected Cross-site Scripting via /authenticationendpoint/domain.jsp Impact: This vulnerability could be used to assist with phishing attacks. Details: The user supplied value of the "authFailureMsg" parameter is used by domain.jsp without sanitization and included in the response body for requests to /authenticationendpoint/domain.jsp. Vulnerable parameter: authFailureMsg POC: https://<Target IP>:8015/authenticationendpoint/domain.jsp?authFailureMsg=%3Cscript%3Ealert("XSS POC")%3C/script%3E&authFailure=true
Arcserve UDP. Affected release :6.5 Update 4; 6.5 Update 3;
Product Installation Instructions:
For manually fix, please use attachment "ManuallyPatch.zip" For Console: 1. Stop the Arcserve UDP Management Service 2. Go to C:\Program Files\Arcserve\Unified Data Protection\Management\TOMCAT\webapps\management\WEB-INF 3. Remove the "classes" folder if there is one. It's not there by default. If the folder is exist, you can move it to another place to backup it. 4. Go to C:\Program Files\Arcserve\Unified Data Protection\Management\TOMCAT\webapps\gateway\WEB-INF 5. Remove the "classes" folder if there is one. It's not there by default. If the folder is exist, you can move it to another place to backup it. 6. Go to C:\Program Files\Arcserve\Unified Data Protection\Management. 7, Unzip the fix, and then copy all files and folds from folder "ConsoleManuallyPatch\Unified Data Protection\Management" to folder "C:\Program Files\Arcserve\Unified Data Protection\Management" 8, Run command "C:\Program Files\Arcserve\Unified Data Protection\Management\CmdUtil.exe /upgradeApache /type:console" 9. Start the Arcserve UDP Management Service. For Standalone Gateway: 1. Stop the Arcserve Remote Management Gateway Service 2. Go to C:\Program Files\Arcserve\Unified Data Protection\Gateway\TOMCAT\webapps\gateway\WEB-INF 3. Remove the "classes" folder if there is one. It's not there by default. If the folder is exist, you can move it to another place to backup it. 4. Go to C:\Program Files\Arcserve\Unified Data Protection\Gateway. 5, Unzip the fix, and then copy all files and folds from folder "GatewayManuallyPatch\Unified Data Protection\Gateway" to folder "C:\Program Files\Arcserve\Unified Data Protection\Gateway" 6. Start the Arcserve Remote Management Gateway Service.
Related Fix List:
Fix (P00001464 for product: Arcserve UDP release: 6.5 Update 4) is available please click here to download and apply.
Fix (P00001466 for product: Arcserve UDP release: 6.5 Update 3) is available please click here to download and apply.