Multiple Veeam vulns spark concern among defenders


A series of vulnerabilities in products made by backup and recovery software supplier Veeam, which were disclosed and patched on 4 September 2024, are causing alarm bells to ring in the cyber security community.

The most pressing issue centres on one of the higher-severity flaws patched by Veeam, tracked as CVE-2024-40711, which is a remote code execution (RCE) vulnerability in Veeam Backup & Replication.

Discovered by researcher Florian Hauser of Code White, it carries a critical CVSS score of 9.8. In a statement made via social media network X, Code White said it was not making full technical details of the issue available right now, due to the potential for exploitation.

Indeed, it is the potential threat from CVE-2024-40711 that is causing the most concern at present. According to data released by threat hunters at Censys, there are almost 3,000 Veeam Backup & Replication servers exposed to the public internet – the majority of them apparently located in France and Germany.

“This vulnerability is particularly concerning because it’s likely to be exploited by ransomware operators to compromise backup systems and potentially create double-extortion scenarios,” the Censys team said.

“Earlier vulnerabilities in Veeam Backup & Replication, such as CVE-2023-27532 disclosed back in July, have already been exploited by ransomware groups like EstateRansomware, Akira, Cuba and FIN7 for initial access, credential theft, and other malicious activities.”

The team at Rapid7, which has also been trawling its network telemetry for potential instances of exploitation, said that as of Monday 9 September they were not aware of any malicious activity focused on CVE-2024-40711.

However, striking a similar precautionary note to their peers, the Rapid7 team said: “Veeam Backup & Replication has a large deployment footprint, however, and several previous vulnerabilities affecting the software have been exploited in the wild, including by ransomware groups.”

According to Rapid7’s data, over 20% of incident response cases to which it has responded this year to date have involved some element of Veeam being accessed or exploited, although typically, this has tended to take place once the attacker is already present in the victim environment.

Five other CVEs were also disclosed in Backup & Replication, including several that enable an attacker in control of a low-privilege account to carry out various malicious actions including turning off multifactor authentication, extracting credentials and other data, and achieve RCE. They are all fixed in Backup & Replication 12.2 (build 12.2.0.334) and users should apply the patches as soon as possible.

Additionally, Veeam issued fixes for flaws in Veeam Agent for Linux, Veeam ONE, Veeam Service Provider Console, and Veeam Backup plugins for Nutanix AHV, Oracle Linux Virtualisation and Red Hat Virtualisation.



Source link