Veeam has launched safety updates for a number of of its merchandise as a part of a single September 2024 safety bulletin that addresses 18 excessive and demanding severity flaws in Veeam Backup & Replication, Service Supplier Console, and One.
Probably the most extreme of the issues addressed is CVE-2024-40711, a important (CVSS v3.1 rating: 9.8) distant code execution (RCE) vulnerability on Veeam Backup & Replication (VBR) that may be exploited with out authentication.
VBR is used to handle and safe backup infrastructure for enterprises, so it performs a important function in knowledge safety. As it could actually function a pivot level for lateral motion, it’s thought of a high-value goal for ransomware operators.
Ransomware actors goal the service to steal backups for double-extortion and delete/encrypt backup units, so victims are left with out restoration choices.
Prior to now, the Cuba ransomware gang and FIN7, identified to collaborate with Conti, REvil, Maze, Egregor, and BlackBasta, have been noticed focusing on VBR vulnerabilities.
The flaw, which was reported through HackerOne, impacts Veeam Backup & Replication 12.1.2.172 and all earlier variations of the 12 department.
Though not many particulars have been disclosed at the moment, important RCE flaws usually permit for a whole system takeover, so customers should not postpone putting in the fixes in VBR model 12.2.0.334.
The opposite flaws listed in the bulletin are associated to Backup & Replication variations 12.1.2.172 and older are:
- CVE-2024-40710: Sequence of vulnerabilities enabling distant code execution (RCE) and delicate knowledge extraction (saved credentials and passwords) by a low-privileged consumer. (CVSS rating: 8.8 “high”)
- CVE-2024-40713: Low-privileged customers can alter Multi-Issue Authentication (MFA) settings and bypass MFA. (CVSS rating: 8.8 “high”)
- CVE-2024-40714: Weak TLS certificates validation permits credential interception throughout restore operations on the identical community. (CVSS rating: 8.3 “high”)
- CVE-2024-39718: Low-privileged customers can remotely take away information with permissions equal to the service account. (CVSS rating: 8.1 “high”)
- CVE-2024-40712: Path traversal vulnerability permits a neighborhood low-privileged consumer to carry out native privilege escalation (LPE). (CVSS rating: 7.8 “high”)
Extra important flaws in Veeam merchandise
On the identical bulletin, Veeam lists 4 extra critical-severity vulnerabilities impacting its Service Supplier Console variations 8.1.0.21377 and earlier and ONE merchandise variations 12.1.0.3208 and older.
Beginning with CVE-2024-42024 (CVSS rating 9.1), an attacker with ONE Agent service account credentials can carry out distant code execution on the host machine.
Veeam ONE can be impacted by CVE-2024-42019 (CVSS rating 9.0), which permits an attacker to entry the NTLM hash of the Reporter Service account. Exploiting this flaw requires earlier knowledge assortment by means of VBR.
In Veeam Service Supplier Console, there’s CVE-2024-38650 (CVSS rating 9.9) which permits a low-privileged attacker to entry the NTLM hash of the service account on the VSPC server.
The second important downside is tracked as CVE-2024-39714 (CVSS rating 9.9) and allows a low-privileged consumer to add arbitrary information onto the server, resulting in distant code execution.
All points have been mounted in Veeam ONE model 12.2.0.4093 and Veeam Service Supplier Console model 8.1.0.21377, which customers ought to improve to as quickly as potential.
