Veeam has published a new Security Bulletin addressing multiple critical vulnerabilities across its suite of products. The Veeam security bulletin, identified as KB ID: 4649, includes updates on Veeam Backup & Replication, Veeam ONE, Veeam Service Provider Console, Veeam Agent for Linux, Veeam Backup for Nutanix AHV, and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization.
The security issues detailed in this bulletin highlight several high-severity vulnerabilities that could impact the security and functionality of Veeam’s solutions. This article provides a short glimpse into these updates offered by the Veeam security bulletin.
Key Highlights from the Veeam Security Bulletin
Here’s a detailed look at the vulnerabilities discovered and their respective fixes:
1. Veeam Backup & Replication
Several vulnerabilities affecting Veeam Backup & Replication 12.1.2.172 and earlier versions have been reported. These vulnerabilities include:
- CVE-2024-40711: This critical vulnerability allows unauthenticated remote code execution (RCE). Discovered by Florian Hauser of CODE WHITE GmbH, it carries a CVSS v3.1 score of 9.8.
- CVE-2024-40713: A high-severity vulnerability enabling a low-privileged user to alter Multi-Factor Authentication (MFA) settings, thus bypassing MFA. It has a CVSS v3.1 score of 8.8.
- CVE-2024-40710: This series of high-severity vulnerabilities allow remote code execution (RCE) under the service account and extraction of sensitive information. It also scores 8.8 on the CVSS v3.1 scale.
- CVE-2024-39718: Allows low-privileged users to remotely delete files on the system with service account permissions. It holds a CVSS v3.1 score of 8.1.
- CVE-2024-40714: A high-severity vulnerability in TLS certificate validation can let an attacker intercept sensitive credentials during restore operations, scoring 8.3 on the CVSS v3.1 scale.
- CVE-2024-40712: This path traversal vulnerability permits local privilege escalation (LPE) for an attacker with low-privileged access. It carries a CVSS v3.1 score of 7.8.
The solutions for these issues are included in Veeam Backup & Replication version 12.2 (build 12.2.0.334).
2. Veeam Agent for Linux
For Veeam Agent for Linux, version 6.1.2.178 and earlier are affected by:
- CVE-2024-40709: This high-severity vulnerability enables local privilege escalation to the root level and scores 7.8 on the CVSS v3.1 scale.
This issue is resolved in Veeam Agent for Linux version 6.2 (build 6.2.0.101), which is included with Veeam Backup & Replication 12.2.
3. Veeam ONE
Veeam ONE 12.1.0.3208 and earlier versions are affected by several vulnerabilities:
- CVE-2024-42024: Allows remote code execution on the Veeam ONE Agent machine with possession of service account credentials. It has a CVSS v3.1 score of 9.1.
- CVE-2024-42019: Grants access to the NTLM hash of the Veeam Reporter Service account, requiring user interaction. It scores 9.0 on the CVSS v3.1 scale.
- CVE-2024-42023: Enables low-privileged users to execute code with Administrator privileges remotely, with a severity score of 8.8.
- CVE-2024-42021: Allows attackers with valid access tokens to access saved credentials, scoring 7.5 on the CVSS v3.1 scale.
- CVE-2024-42022: Allows modification of product configuration files, also scoring 7.5.
- CVE-2024-42020: HTML injection vulnerability in Reporter Widgets, scoring 7.3.
These vulnerabilities are addressed in Veeam ONE v12.2 (build 12.2.0.4093).
4. Veeam Service Provider Console
The Veeam Service Provider Console (VSPC) 8.0.0.19552 and earlier versions have been identified with:
- CVE-2024-38650: A critical vulnerability permitting low-privileged attackers to access the NTLM hash of the service account on the VSPC server, scoring 9.9 on the CVSS v3.1 scale.
- CVE-2024-39714: Allows low-privileged users to upload arbitrary files, leading to remote code execution on the VSPC server. This issue also scores 9.9.
- CVE-2024-39715: Similar to CVE-2024-39714 but through REST API access, with a high severity score of 8.5.
- CVE-2024-38651: Allows low-privileged users to overwrite files, leading to remote code execution, with a CVSS v3.1 score of 8.5.
The fixes are included in Veeam Service Provider Console v8.1 (build 8.1.0.21377).
5. Veeam Backup for Nutanix AHV and Other Plug-Ins
Veeam Backup for Nutanix AHV Plug-In 12.5.1.8 and earlier, as well as Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In 12.4.1.45, are impacted by:
- CVE-2024-40718: Allows local privilege escalation through an SSRF vulnerability, with a severity score of 8.8 on the CVSS v3.1 scale.
These issues are resolved in Veeam Backup for Nutanix AHV Plug-In v12.6.0.632 and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In v12.5.0.299, both included with Veeam Backup & Replication 12.2.
Conclusion
This comprehensive Veeam Security Bulletin outlines critical updates and fixes for multiple Veeam products. Users are advised to update to the latest versions of Veeam Backup & Replication, Veeam Agent for Linux, Veeam ONE, Veeam Service Provider Console, and other related products to mitigate these vulnerabilities.
Regular updates and vigilant security practices remain essential in protecting against potential threats and ensuring the integrity of data protection solutions.