Date: 09-03-2023
On the 7th of March 2023, Veeam fixed a high risk vulnerability (CVE-2023-27532) via an update in its Backup & Replication product in versions V11a/V12[1]. Northwave recommends to install the update as soon as possible. The vulnerability allows attackers to obtain encrypted credentials stored in the configuration database. This may lead to gaining access to the backup infrastructure hosts. Since this vulnerability could have a big impact, Northwave would like to warn you and advise you on actions to take in order to mitigate the risk of the vulnerability.
Impact
Northwave estimates the impact of this vulnerability as high. According to Veeam's advisory[1], the root cause of this vulnerability is the process, Veeam.Backup.Service.exe (TCP 9401 by default), which allows an unauthenticated user to request encrypted credentials. This vulnerability is tracked under CVE-2023-27532 and has a CVSSv3.1 score of 7.5. It affects all Veeam Backup & Replication versions, making it possible for adversaries to request encrypted credentials which may then be used to access backup servers and thereby hampering or exfiltrating backup data.
Risk
Northwave estimates the risk of this vulnerability as high, because of the popularity and widespread usage of Veeam Backup & Replication. At the time of writing there is no indication that this vulnerability is currently actively exploited in the wild[2]. However, Northwave expects that the patch may be reverse engineered and exploited by threat actors in the near future.
What should you do?
This vulnerability is resolved by Veeam in the following Veeam Backup & Replication build numbers: 11a[3] and 12[4]. Northwave recommends to update all Veeam Backup & Replication installations as soon as possible.
Temporary Workaround: if you use an all-in-one Veeam appliance with no remote backup infrastructure components, you can alternatively block external connections to port TCP 9401 in the backup server firewall as a temporary remediation until the patch is installed.
What will Northwave do?
At the moment, there is not much information about the vulnerability available. Whenever more details become available, the Northwave SOC will investigate possible detection rules. Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure. Northwave will continue to monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
Sources
[1]: https://www.veeam.com/kb4424
[2]: https://thestack.technology/veeam-vulnerability-warning/
[3]: https://www.veeam.com/kb4245
[4]: https://www.veeam.com/kb4420
Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.