Veeam has launched security updates for a number of of its merchandise as a part of a single September 2024 security bulletin that addresses 18 excessive and demanding severity flaws in Veeam Backup & Replication, Service Supplier Console, and One.
Essentially the most extreme of the issues addressed is CVE-2024-40711, a essential (CVSS v3.1 rating: 9.8) distant code execution (RCE) vulnerability on Veeam Backup & Replication (VBR) that may be exploited with out authentication.
VBR is used to handle and safe backup infrastructure for enterprises, so it performs a essential position in information safety. As it could function a pivot level for lateral motion, it’s thought of a high-value goal for ransomware operators.
Ransomware actors goal the service to steal backups for double-extortion and delete/encrypt backup units, so victims are left with out restoration choices.
Previously, the Cuba ransomware gang and FIN7, recognized to collaborate with Conti, REvil, Maze, Egregor, and BlackBasta, had been noticed focusing on VBR vulnerabilities.
The flaw, which was reported through HackerOne, impacts Veeam Backup & Replication 12.1.2.172 and all earlier variations of the 12 department.
Though not many particulars have been disclosed at the moment, essential RCE flaws usually enable for an entire system takeover, so customers should not postpone putting in the fixes in VBR model 12.2.0.334.
The opposite flaws listed within the bulletin are associated to Backup & Replication variations 12.1.2.172 and older are:
- CVE-2024-40710: Sequence of vulnerabilities enabling distant code execution (RCE) and delicate information extraction (saved credentials and passwords) by a low-privileged person. (CVSS rating: 8.8 “excessive”)
- CVE-2024-40713: Low-privileged customers can alter Multi-Issue Authentication (MFA) settings and bypass MFA. (CVSS rating: 8.8 “excessive”)
- CVE-2024-40714: Weak TLS certificates validation permits credential interception throughout restore operations on the identical community. (CVSS rating: 8.3 “excessive”)
- CVE-2024-39718: Low-privileged customers can remotely take away information with permissions equal to the service account. (CVSS rating: 8.1 “excessive”)
- CVE-2024-40712: Path traversal vulnerability permits an area low-privileged person to carry out native privilege escalation (LPE). (CVSS rating: 7.8 “excessive”)
Extra essential flaws in Veeam merchandise
On the identical bulletin, Veeam lists 4 extra critical-severity vulnerabilities impacting its Service Supplier Console variations 8.1.0.21377 and earlier and ONE merchandise variations 12.1.0.3208 and older.
Beginning with CVE-2024-42024 (CVSS rating 9.1), an attacker with ONE Agent service account credentials can carry out distant code execution on the host machine.
Veeam ONE can be impacted by CVE-2024-42019 (CVSS rating 9.0), which permits an attacker to entry the NTLM hash of the Reporter Service account. Exploiting this flaw requires earlier information assortment by way of VBR.
In Veeam Service Supplier Console, there’s CVE-2024-38650 (CVSS rating 9.9) which permits a low-privileged attacker to entry the NTLM hash of the service account on the VSPC server.
The second essential drawback is tracked as CVE-2024-39714 (CVSS rating 9.9) and permits a low-privileged person to add arbitrary information onto the server, resulting in distant code execution.
All points had been fastened in Veeam ONE model 12.2.0.4093 and Veeam Service Supplier Console model 8.1.0.21377, which customers ought to improve to as quickly as doable.
