Veeam Software program has rolled out patches for 4 extreme security vulnerabilities that expose customers of its Veeam ONE product to distant code execution assaults
The Ohio firm issued an pressing advisory to doc the failings, which embody a pair of essential points with CVSS severity scores of 9.9 out of 10.
An IT monitoring and analytics answer, Veeam ONE supplies organizations with real-time monitoring, administration reporting, and enterprise documentation for Veeam’s backup merchandise.
Veeam is documenting probably the most critical difficulty as CVE-2023-38547 (CVSS 9.9), a security defect that might enable an attacker to execute code remotely.
“A vulnerability in Veeam ONE permits an unauthenticated consumer to realize details about the SQL server connection Veeam ONE makes use of to entry its configuration database. This may occasionally result in distant code execution on the SQL server internet hosting the Veeam ONE configuration database,” the corporate warned.
The second essential difficulty, tracked as CVE-2023-38548 (CVSS 9.8), may enable an attacker obtained the hashed password for the Veeam ONE Reporting Service.
“A vulnerability in Veeam ONE permits an unprivileged consumer who has entry to the Veeam ONE Internet Consumer the flexibility to accumulate the NTLM hash of the account utilized by the Veeam ONE Reporting Service,” Veeam mentioned.
Veeam additionally patched a medium-severity difficulty (CVE-2023-38549) that enables an attacker with ‘energy consumer’ privileges to acquire the entry token of a Veeam ONE administrator. Profitable exploitation requires interplay from the administrator.
A fourth difficulty, tracked as CVE-2023-41723, was additionally fastened to dam attackers with read-only entry from viewing the appliance’s dashboard schedule.
Veeam launched hotfixes to handle these flaws in Veeam ONE variations 11, 12, and 13. Directors are suggested to obtain the patches and set up them as quickly as attainable.
Veeam makes no point out of any of those vulnerabilities being exploited in assaults, however attackers are recognized to have focused flaws in its backup options.
