Veeam has launched safety updates for a number of of its merchandise as a part of a unmarried September 2024 safety bulletin that addresses 18 excessive and demanding severity flaws in Veeam Backup & Replication, Carrier Supplier Console, and One.
Essentially the most serious of the issues addressed is CVE-2024-40711, a serious (CVSS v3.1 ranking: 9.8) far off code execution (RCE) vulnerability on Veeam Backup & Replication (VBR) that may be exploited with out authentication.
VBR is used to control and safe backup infrastructure for enterprises, so it performs a serious position in knowledge coverage. As it could actually function a pivot level for lateral motion, it is regarded as a high-value goal for ransomware operators.
Ransomware actors goal the carrier to thieve backups for double-extortion and delete/encrypt backup units, so sufferers are left with out restoration choices.
Prior to now, the Cuba ransomware gang and FIN7, recognized to collaborate with Conti, REvil, Maze, Egregor, and BlackBasta, have been seen focused on VBR vulnerabilities.
The flaw, which used to be reported by the use of HackerOne, affects Veeam Backup & Replication 12.1.2.172 and all previous variations of the 12 department.
Even if no longer many main points had been disclosed right now, serious RCE flaws in most cases permit for a whole gadget takeover, so customers should not put off putting in the fixes in VBR model 12.2.0.334.
The opposite flaws indexed within the bulletin are associated with Backup & Replication variations 12.1.2.172 and older are:
- CVE-2024-40710: Collection of vulnerabilities enabling far off code execution (RCE) and delicate knowledge extraction (stored credentials and passwords) via a low-privileged person. (CVSS ranking: 8.8 “excessive”)
- CVE-2024-40713: Low-privileged customers can adjust Multi-Issue Authentication (MFA) settings and bypass MFA. (CVSS ranking: 8.8 “excessive”)
- CVE-2024-40714: Vulnerable TLS certificates validation lets in credential interception all the way through repair operations at the similar community. (CVSS ranking: 8.3 “excessive”)
- CVE-2024-39718: Low-privileged customers can remotely take away information with permissions identical to the carrier account. (CVSS ranking: 8.1 “excessive”)
- CVE-2024-40712: Trail traversal vulnerability lets in a neighborhood low-privileged person to accomplish native privilege escalation (LPE). (CVSS ranking: 7.8 “excessive”)
Extra serious flaws in Veeam merchandise
At the similar bulletin, Veeam lists 4 extra critical-severity vulnerabilities impacting its Carrier Supplier Console variations 8.1.0.21377 and previous and ONE merchandise variations 12.1.0.3208 and older.
Beginning with CVE-2024-42024 (CVSS ranking 9.1), an attacker with ONE Agent carrier account credentials can carry out far off code execution at the host system.
Veeam ONE may be impacted via CVE-2024-42019 (CVSS ranking 9.0), which permits an attacker to get admission to the NTLM hash of the Reporter Carrier account. Exploiting this flaw calls for earlier knowledge assortment via VBR.
In Veeam Carrier Supplier Console, there is CVE-2024-38650 (CVSS ranking 9.9) which permits a low-privileged attacker to get admission to the NTLM hash of the carrier account at the VSPC server.
The second one serious downside is tracked as CVE-2024-39714 (CVSS ranking 9.9) and allows a low-privileged person to add arbitrary information onto the server, resulting in far off code execution.
All problems have been fastened in Veeam ONE model 12.2.0.4093 and Veeam Carrier Supplier Console model 8.1.0.21377, which customers will have to improve to once conceivable.