Veeam has launched safety updates for a number of of its merchandise as a part of a single September 2024 safety bulletin that addresses 18 excessive and important severity flaws in Veeam Backup & Replication, Service Supplier Console, and One.
Essentially the most extreme of the issues addressed is CVE-2024-40711, a crucial (CVSS v3.1 rating: 9.8) distant code execution (RCE) vulnerability on Veeam Backup & Replication (VBR) that may be exploited with out authentication.
VBR is used to handle and safe backup infrastructure for enterprises, so it performs a crucial position in information safety. As it could possibly function a pivot level for lateral motion, it’s thought-about a high-value goal for ransomware operators.
Ransomware actors goal the service to steal backups for double-extortion and delete/encrypt backup units, so victims are left with out restoration choices.
Previously, the Cuba ransomware gang and FIN7, recognized to collaborate with Conti, REvil, Maze, Egregor, and BlackBasta, had been noticed concentrating on VBR vulnerabilities.
The flaw, which was reported through HackerOne, impacts Veeam Backup & Replication 12.1.2.172 and all earlier variations of the 12 department.
Though not many particulars have been disclosed presently, crucial RCE flaws typically permit for a whole system takeover, so customers should not postpone putting in the fixes in VBR model 12.2.0.334.
The opposite flaws listed in the bulletin are associated to Backup & Replication variations 12.1.2.172 and older are:
- CVE-2024-40710: Sequence of vulnerabilities enabling distant code execution (RCE) and delicate information extraction (saved credentials and passwords) by a low-privileged person. (CVSS rating: 8.8 “excessive”)
- CVE-2024-40713: Low-privileged customers can alter Multi-Issue Authentication (MFA) settings and bypass MFA. (CVSS rating: 8.8 “excessive”)
- CVE-2024-40714: Weak TLS certificates validation permits credential interception throughout restore operations on the identical community. (CVSS rating: 8.3 “excessive”)
- CVE-2024-39718: Low-privileged customers can remotely take away information with permissions equal to the service account. (CVSS rating: 8.1 “excessive”)
- CVE-2024-40712: Path traversal vulnerability permits a neighborhood low-privileged person to carry out native privilege escalation (LPE). (CVSS rating: 7.8 “excessive”)
Extra crucial flaws in Veeam merchandise
On the identical bulletin, Veeam lists 4 extra critical-severity vulnerabilities impacting its Service Supplier Console variations 8.1.0.21377 and earlier and ONE merchandise variations 12.1.0.3208 and older.
Beginning with CVE-2024-42024 (CVSS rating 9.1), an attacker with ONE Agent service account credentials can carry out distant code execution on the host machine.
Veeam ONE can also be impacted by CVE-2024-42019 (CVSS rating 9.0), which permits an attacker to entry the NTLM hash of the Reporter Service account. Exploiting this flaw requires earlier information assortment by way of VBR.
In Veeam Service Supplier Console, there’s CVE-2024-38650 (CVSS rating 9.9) which permits a low-privileged attacker to entry the NTLM hash of the service account on the VSPC server.
The second crucial drawback is tracked as CVE-2024-39714 (CVSS rating 9.9) and permits a low-privileged person to add arbitrary information onto the server, resulting in distant code execution.
All points had been mounted in Veeam ONE model 12.2.0.4093 and Veeam Service Supplier Console model 8.1.0.21377, which customers ought to improve to as quickly as doable.