There are four previously undisclosed vulnerabilities within the Arcserve Unified Data Protection (UDP) platform, researchers said.
If leveraged, the vulnerabilities can open the door for potential compromise of sensitive data through access to credentials, phishing attacks and the ability for a hacker to read files without authentication from the hosting system, said researchers at security provider Digital Defense, Inc.
UDP is vulnerable to two unauthenticated information disclosures and an external entity attack that could be utilized by an attacker to gain access to database and other credentials and to read files on the system hosting the UDP application without authentication. Additionally, UDP is vulnerable to reflected cross-site scripting (XSS) which could be utilized for phishing purposes.
“Arcserve has been extremely responsive and collaborative in working with our Vulnerability Research Team (VRT) to resolve the issues,” said Mike Cotton, senior vice president of engineering at Digital Defense. “Our mutual goal is to ensure the security of the organizations utilizing the Arcserve systems.”
The Digital Defense VRT regularly works with organizations in the responsible disclosure of Zero Day vulnerabilities.
The expertise of the VRT when coupled with the company’s next generation hybrid cloud platform, Frontline Vulnerability Manager, enables early detection capabilities. When zero-days are discovered and internally validated, the VRT immediately contacts the affected vendor to notify the organization of the new finding(s) and then assists, wherever possible, with the vendor’s remediation actions.
The security fixes can be obtained through the Arcserve website.