CVE-2024-0801
published 2024-03-13CVE-2024-0801: A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll.
PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
41.84%
98.5th percentile
A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arcserve | udp | — | — |
| arcserve | udp | — | — |
| arcserve | unified_data_protection | <= 9.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
othershodan: http.favicon.hash:1015186617
otherfofa: icon_hash="1015186617"
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Arcserve Unified Data Protection Console Unauthenticated DoS in ASNative.dll (CVE-2024-0801)"; flow:established,to_server; http.uri; content:"/management/services/EdgeServiceConsoleImpl"; fast_pattern; http.request_body; content:"ns2:validateUserByUser"; content:"|22 3e|"; distance:0; pcre:"/^[^\x3c]*?[\x2f\x5c]/R"; reference:url,www.tenable.com/security/research/tra-2024-07; reference:cve,2024-0801; classtype:web-application-attack; sid:2065741; rev:1; metadata:affected_product Arcserve_UDP, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_12, cve CVE_2024_0801, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_11_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →The DoS is triggered by sending a POST request to /management/services/EdgeServiceConsoleImpl with a body containing the validateUserByUser API call where the username starts with a backslash (\) or forward slash (/). This passes 0 as the second parameter to wcsncpy_s(), triggering the invalid parameter handler and terminating the process. ↗
- →The Snort/ET rule detects the attack by matching HTTP URI /management/services/EdgeServiceConsoleImpl, request body containing 'ns2:validateUserByUser' followed by '">' (hex 22 3e), and a PCRE matching a username starting with / or \ before any XML tag character.
- →A successful DoS attempt results in the server returning HTTP 503 Service Unavailable or HTTP 502 Proxy Error, indicating the backend process has been terminated.
- →The vulnerable code path is in ASNative.dll (file version 9.0.6034.674) at the do_login function. The domain extraction loop at .text:0000000180009203 can be bypassed to pass a zero-length size to wcsncpy_s. ↗
- →The attack is unauthenticated and requires no prior session. The Content-Type header must be set to text/xml for the request to be processed by the vulnerable endpoint. ↗
- ·The Nuclei template uses a two-step detection flow: step 1 validates the target is a legitimate Arcserve UDP console (expects HTTP 500 with 'Invalid user credentials'), and step 2 sends the actual DoS payload. The template is marked 'intrusive' — running it will crash the target service.
- ·The ET Snort rule requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to inspect the encrypted HTTPS traffic on port 8015, otherwise the rule will not fire.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2x3m-8px8-74hr: A denial of service vulnerability exists in Arcserve Unified Data Protection 9
ghsa_unreviewed·2024-03-13
CVE-2024-0801 [HIGH] CWE-75 GHSA-2x3m-8px8-74hr: A denial of service vulnerability exists in Arcserve Unified Data Protection 9
A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll.
VulnCheck
Arcserve Unified Data Protection 9.2 and 8.1 ASNative.dll Denial of Service
vulncheck·2024·CVSS 7.5
CVE-2024-0801 [HIGH] Arcserve Unified Data Protection 9.2 and 8.1 ASNative.dll Denial of Service
Arcserve Unified Data Protection 9.2 and 8.1 ASNative.dll Denial of Service
A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll.
Affected: Arcserve Unified Data Protection
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://digital.nhs.uk/cyber-alerts/2024/cc-4487
Suricata
ET WEB_SPECIFIC_APPS Arcserve Unified Data Protection Console Unauthenticated DoS in ASNative.dll (CVE-2024-0801)
suricata·2025-11-12·CVSS 7.5
CVE-2024-0801 [HIGH] ET WEB_SPECIFIC_APPS Arcserve Unified Data Protection Console Unauthenticated DoS in ASNative.dll (CVE-2024-0801)
ET WEB_SPECIFIC_APPS Arcserve Unified Data Protection Console Unauthenticated DoS in ASNative.dll (CVE-2024-0801)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Arcserve Unified Data Protection Console Unauthenticated DoS in ASNative.dll (CVE-2024-0801)"; flow:established,to_server; http.uri; content:"/management/services/EdgeServiceConsoleImpl"; fast_pattern; http.request_body; content:"ns2:validateUserByUser"; content:"|22 3e|"; distance:0; pcre:"/^[^\x3c]*?[\x2f\x5c]/R"; reference:url,www.tenable.com/security/research/tra-2024-07; reference:cve,2024-0801; classtype:web-application-attack; sid:2065741; rev:1; metadata:affected_product Arcserve_UDP, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_12, cve CVE_2024_0801, deployment Perimeter, deployment
Nuclei
Arcserve Unified Data Protection - Unauthenticated DoS in ASNative.dll
nuclei·CVSS 7.5
CVE-2024-0801 [HIGH] Arcserve Unified Data Protection - Unauthenticated DoS in ASNative.dll
Arcserve Unified Data Protection - Unauthenticated DoS in ASNative.dll
A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll.
Template:
id: CVE-2024-0801
info:
name: Arcserve Unified Data Protection - Unauthenticated DoS in ASNative.dll
author: daffainfo
severity: high
description: |
A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll.
impact: |
Attackers can cause system crashes or unavailability, leading to service disruption and potential downtime.
remediation: |
Update to the latest version of Arcserve Unified Data Protection or apply available patches.
reference:
- https://www.tenable.com/security/research/tra-2024-07
- https://nvd.nist.gov/vuln/detail/CVE-2024-0801
classificati
2024-03-13
Published
Exploited in the wild