NHS Digital hints at exploit sightings of Arcserve UDP vulnerabilities

The UK's NHS is warning of the possibility that vulnerabilities in Arcserve Unified Data Protection (UDP) software are being actively exploited.

Originally disclosed in March, the three vulnerabilities all had proof of concept (PoC) exploit code released the day after disclosure by Tenable, which reported the bugs to Arcserve. In these cases, it doesn't usually take long before attackers try to abuse them.

The NHS hasn't offered any details of the data it has seen that indicates possible exploitation but has "strongly encouraged" organizations to apply the patches as set out in Arcserve's advisory. 

The NHS published its updated alert on May 9, but also said that possible exploitation attempts of Arcserve UDP followed soon after the proof of concept code was published. It's not clear exactly when these possible attacks began.

The Register asked Arcserve whether it was aware of the exploit attempts and if customers had been alerted, but it didn't immediately respond.

Arcserve UDP is a widely used data protection and disaster recovery solution, and there was a good deal of fuss made over the March vulnerabilities at the time.

• CVE-2024-0799 (CWE-287) (9.8 CVSSv3) – an authentication bypass vulnerability that allowed attackers to perform privileged actions within the software

• CVE-2024-0800 (CWE-434) (8.8 CVSSv3) – a path traversal bug allowing attackers to upload malicious files with SYSTEM privileges

• CVE-2024-0801 (NVD still assessing severity) – a denial of service vulnerability still undergoing assessment

• AI red-teaming tools helped X-Force break into a major tech manufacturer 'in 8 hours'
• Encrypted mail service Proton hands suspect's personal info to cops again
• US faith-based healthcare org Ascension says 'cybersecurity event' disrupted clinical ops
• 68 tech names sign CISA's secure-by-design pledge

Tenable assesses the threat presented by all three to be "critical," per its PoC article, while the NHS deems it "medium" severity. 

The Centre for Cybersecurity Belgium (CCB) sides more with Tenable's attitude. In big, colorful, all-caps lettering at the top of its own advisory, CCB says: "WARNING: THREE VULNERABILITIES IN ARCSERVE UDP SOFTWARE DEMAND URGENT ACTION, PATCH IMMEDIATELY!"

It said if successfully exploited, the vulnerabilities could lead to follow-on crimes such as data theft, ransomware attacks, and sabotaged backups – perhaps all in one fell swoop.

"The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion," it added.

"While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise." ®