Veeam patches critical flaws, urges users to update

The most concerning glitch affects VBR software

Data protection company Veeam Software has released security updates to address a total of 18 vulnerabilities affecting its products, including Veeam Backup & Replication (VBR), Service Provider Console, and Veeam ONE.

Among all the flaws addressed, five are classified as critical, with the potential for remote code execution (RCE).

The most concerning of them is the bug, tracked as CVE-2024-40711, affecting VBR software version 12.1.2.172 and earlier.

The flaw has been assigned CVSS v3.1 score of 9.8 out of 10, indicating extreme risk. It could enable an attacker to exploit the system without requiring authentication, potentially leading to full system compromise.

In recent years, ransomware groups have targeted VBR vulnerabilities, exploiting them to steal backups and encrypt data, leaving organisations without the ability to recover.

Veeam urges users to install VBR version 12.2.0.334 immediately to avoid potential exploitation.

This security issue was reported by Florian Hauser with CODE WHITE GmbH, Veeam disclosed.

The other four critical vulnerabilities addressed by the company include:

• CVE-2024-38650 (CVSS score: 9.9) - A vulnerability in the Veeam Service Provider Console enabling low-privileged users to access the NTLM hash of the service account, which could be used to escalate privileges or gain unauthorised access.
• CVE-2024-39714 (CVSS score: 9.9) - A flaw that allows low-privileged users to upload arbitrary files onto the VSPC server, leading to RCE.
• CVE-2024-42024 (CVSS score: 9.1) – An RCE vulnerability in Veeam ONE that allows attackers with service account credentials to execute arbitrary code on the host machine.
• CVE-2024-42019 (CVSS score: 9.0) - An issue allowing attackers to access the NTLM hash of the Reporter Service account, potentially leading to further compromise if data has been previously collected via VBR.

Veeam has released patches for these critical vulnerabilities.

Users of Veeam ONE should upgrade to version 12.2.0.4093, and those using the Veeam Service Provider Console should install version 8.1.0.21377 to protect against exploitation.

Alongside these critical vulnerabilities, the latest security update also fixes 13 other high-severity flaws, which could result in privilege escalation, bypassing multi-factor authentication, and code execution with elevated privileges.

• CVE-2024-40710 (CVSS score: 8.8) allows low-privileged users to execute remote code and extract sensitive data, such as saved credentials and passwords.
• CVE-2024-40713 (CVSS score: 8.8) enables low-privileged users to alter and bypass Multi-Factor Authentication (MFA) settings.
• CVE-2024-40714 (CVSS score: 8.3) relates to weak TLS certificate validation, allowing credential interception during restore operations.
• CVE-2024-39718 (CVSS score: 8.1) allows low-privileged users to remotely remove files with permissions equivalent to the service account.
• CVE-2024-40712 (CVSS score: 7.8) involves a path traversal vulnerability that can lead to local privilege escalation.

Veeam has released updates to address all high-severity flaws.

The company has not disclosed whether any of these vulnerabilities have been exploited in the wild.

However, given the severity of these vulnerabilities and the potential for exploitation by threat actors, the company strongly urges users to update their software to the latest versions as soon as possible to protect their systems from potential attacks.

"Unsupported product versions are not tested, but are likely affected and should be considered vulnerable," Veeam warned.