Security patch issued for Arcserve Unified Data Protection

Arcserve Unified Data Protection customers are being told to patch the backup platform after a security provider found issues that could leave data unprotected.

The four vulnerabilities in Arcserve UDP could compromise sensitive data through access to credentials, phishing attacks and the ability for a hacker to read files without authentication from the hosting system, according to Digital Defense, the company that discovered the problems.

Digital Defense, based in San Antonio, reached out to Arcserve with technical details of the vulnerabilities, said Mike Cotton, senior vice president of engineering at the security provider, which disclosed its findings publicly last week.

“[We] walked them through scenarios with how attackers can exploit the vulnerabilities in question,” Cotton wrote in an email. “Their team was extremely professional and they were very proactive in wanting to understand where the vulnerabilities were and how precisely to fix them.”

The vulnerabilities affect Arcserve Unified Data Protection 6.5, updates 3 and 4. Update 4 launched last month. UDP, Arcserve’s flagship product, features backup, recovery, automated testing, granular reporting and hardware snapshot support.

Arcserve Unified Data Protection customers can download a patch from Arcserve Support and reach out to the company to address any outstanding questions or concerns, the vendor said. Arcserve, based in Eden Prairie, Minn., also provided manual fix application instructions.

“Arcserve is committed to developing data protection solutions that meet the highest security standards to protect our partners, customers and, most importantly, their data,” the data protection vendor said in a statement. “We welcome reports from security researchers and experts so we can quickly and efficiently address any vulnerabilities, which was done by our incident response team in this case.”

Cotton said installing Arcserve’s patch is the best way to address these particular flaws.

“More generally, undertaking controlled network access strategies to limit access to the administrative interfaces of key backup systems can further harden installations such as this,” Cotton wrote.

Digital Defense regularly works with vendors regarding the disclosure of zero-day vulnerabilities. When the company’s Vulnerability Research Team finds issues and validates them, it contacts the affected vendor and helps with remediation actions.

Digital Defense has found vulnerabilities in other major backup products, including Dell EMC’s Avamar in 2017, but Cotton said this is the first time the company has worked with Arcserve.

“We believe they’ve addressed the flaws in question for these vulnerabilities,” Cotton wrote, “so no further action is necessary for them.”