On 4 September 2024, Veeam released a security bulletin addressing several critical vulnerabilities in its backup and replication products[1]. The identified vulnerabilities could potentially allow unauthorised access, remote code execution, or data exposure, posing significant risks to data protection and recovery environments. This may lead to gaining access to the backup infrastructure hosts. Since these vulnerabilities could have a big impact, Northwave would like to warn you and advise you on actions to take in order to mitigate the risks of these vulnerabilities.
Description
Veeam products are designed to provide comprehensive data protection and management solutions. They offer backup and recovery options to ensure that data is securely backed up and can be quickly restored in case of data loss or corruption. Recently published security updates address a total of 18 security flaws, 5 of which are categorised as critical vulnerabilities.
|
CVE
|
Description
|
CVSS v3.1 Score
|
|
CVE-2024-40711
|
Allows an attacker in possession of the Veeam ONE Agent service account credentials to perform remote code execution on the machine where the Veeam ONE Agent is installed
|
9.1
|
|
CVE-2024-42019
|
Allows an attacker to access the NTLM hash of the Veeam Reporter Service service account. This attack requires user interaction and data collected from Veeam Backup & Replication
|
9.0
|
|
CVE-2024-40711
|
Allowing unauthenticated remote code execution (RCE) to an attacker in Veeam Backup & Replication
|
9.8
|
|
CVE-2024-39714
|
Permits a low-privileged user to upload arbitrary files to the server, leading to remote code execution on VSPC server
|
9.9
|
|
CVE-2024-38650
|
Allows a low privileged attacker to access the NTLM hash of service account on the VSPC server
|
9.9
|
The Critical vulnerabilities affect the following Veaam products:
- Veeam Backup & Replication 12.1.2.172 and all earlier version 12 builds (CVE-2024-40711)
- Veeam ONE 12.1.0.3208 and all earlier version 12 builds (CVE-2024-42024, CVE-2024-42019)
- Veeam Service Provider Console 8.0.0.19552 and all earlier version 8 builds (CVE-2024-38650, CVE-2024-39714)
Impact
We estimate the impact of these vulnerabilities as HIGH. Exploitation of these vulnerabilities could compromise the integrity, confidentiality, and availability of backup data. Successful exploitation might allow attackers to deploy ransomware, alter backup data, or cause significant disruptions in business continuity.
Risk
We estimate the risk of these vulnerabilities as HIGH, because of the popularity and widespread usage of the Veeam solutions. At the time of writing there is no indication that this vulnerability is currently actively exploited in the wild, but this type of vulnerabilities has been seen as a interesting target for Ransomware groups[2].
Mitigation
Veeam has published updates to remediate the vulnerabilities. Northwave recommends updating your Veeam solution to the latest version as soon as possible.
What should you do?
In order to resolve the critical vulnerabilities in Veeam products, we highly recommend the following actions:
- Update your Veeam Backup & Replication to v12.2 (build 12.2.0.334).
- Update your Veeam ONE to v12.2 (build 12.2.0.4093).
- Update your Veeam Service Provider Console to v8.1 (build 8.1.0.21377).
What will Northwave do?
We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: soc@northwave.nl
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
E-mail: soc@northwave.nl
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
Disclaimer applies, see below.
Sources