Veeam has recently released critical security updates addressing a total of 18 vulnerabilities across its software products, with five of these flaws classified as critical due to their potential for remote code execution (RCE). This update is particularly significant as it targets widely used products such as Veeam Backup & Replication, Veeam ONE, and the Veeam Service Provider Console.
Remediate all critical vulnerabilities with a patch management tool.
Understanding the Vulnerabilities
The most severe vulnerabilities identified in the September 2024 security bulletin include:
CVE-2024-40711 (CVSS score: 9.8): This critical flaw in Veeam Backup & Replication allows unauthenticated remote code execution, posing a severe risk to users who have not updated their software.
CVE-2024-42024 (CVSS score: 9.1): Found in Veeam ONE, this vulnerability enables an attacker with the Agent service account credentials to execute code remotely on the affected machine.
CVE-2024-42019 (CVSS score: 9.0): Also affecting Veeam ONE, this flaw allows attackers to access the NTLM hash of the Veeam Reporter Service account.
CVE-2024-38650 (CVSS score: 9.9): This vulnerability in the Veeam Service Provider Console permits low-privileged attackers to access the NTLM hash of the service account on the server.
CVE-2024-39714 (CVSS score: 9.9): Another critical issue in the Veeam Service Provider Console that allows low-privileged users to upload arbitrary files to the server, leading to potential remote code execution.
In addition to these critical vulnerabilities, the updates also address 13 other high-severity flaws that could lead to privilege escalation, multi-factor authentication (MFA) bypass, and elevated code execution permissions.
Mitigations and Recommendations
To protect against these vulnerabilities, users are strongly advised to update to the latest version of the affected products, which include:
Veeam Backup & Replication: Version 12.2 (build 12.2.0.334)
Veeam Agent for Linux: Version 6.2 (build 6.2.0.101)
Veeam ONE: Version 12.2 (build 12.2.0.4093)
Veeam Service Provider Console: Version 8.1 (build 8.1.0.21377)
Veeam Backup for Nutanix AHV Plug-In: Version 12.6.0.632
Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In: Version 12.5.0.299
Given the critical nature of these vulnerabilities, particularly in the context of ransomware threats, timely updates are essential for safeguarding data protection solutions and preventing potential exploitation by threat actors.
Conclusion
The swift release of these security updates by Veeam highlights the ongoing need for vigilance in software security. Users must prioritize updating their systems to mitigate risks associated with these vulnerabilities. Regular updates and proactive security measures are vital in maintaining the integrity of data protection solutions and defending against emerging cyber threats.