Veeam Releases September 2024 Security Bulletin

Security bulletin addresses critical severity vulnerabilities affecting Backup & Replication, One, Server Provider Console, and other Veeam product lines

Threat ID:: CC-4542
Threat Severity:: Medium
Published:: 5 September 2024 4:34 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security bulletin addresses critical severity vulnerabilities affecting Backup & Replication, One, Server Provider Console, and other Veeam product lines

Affected platforms

The following platforms are known to be affected:

Versions: 12.1.2.172 and earlier

Veeam Backup & Replication

Additional plug-ins affected:

Veeam Backup for Nutanix AHV Plug-in | 12.5.1.8 and earlier
Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-in | 12.4.1.45 and earlier

Versions: 12.1.0.3208 and earlier

Veeam ONE

Versions: 8.1.0.21377 and earlier

Veeam Service Provider Console

Versions: 6.1.2.1781 and earlier

Veeam Agent for Linux

Threat details

Unsupported versions should be considered vulnerable

Veeam states that unsupported product versions are not tested, but are likely affected and should be considered vulnerable.

Public proof-of-concept exploit for CVE-2024-40711

Security researchers have published a proof-of-concept (POC) exploit for CVE-2024-40711.

Enterprise backup and disaster recovery applications are valuable targets for cyber threat groups. Vulnerabilities in backup and disaster recovery applications are often exploited in-the-wild by ransomware groups shortly after official disclosure, and the NHS England National CSOC assess exploitation as likely for the vulnerabilities covered in this cyber alert.

Introduction

Veeam has issued a security bulletin that addresses 18 vulnerabilities affecting Backup & Replication, ONE, Service Provider Console, Veeam Agent for Linux, Veeam Backup for Nutanix AHV, and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization.

Veeam Backup & Replication is a proprietary backup application for virtual environments built on various hypervisors.

Vulnerability details

Veeam Backup & Replication has six vulnerabilities, with one considered critical and five high severity.

The critical vulnerability CVE-2024-40711 could allow an unauthenticated attacker to achieve remote code execution (RCE).
The high vulnerabilities relate to multi-factor authentication (MFA) bypass, RCE, extraction of sensitive information, removal of files, interception of credentials during restore operations, and privilege escalation.

Veaam Agent for Linux has one privilege escalation vulnerability considered high severity.

Veeam ONE has six vulnerabilities, with two considered critical and four high severity.

Critical vulnerability CVE-2024-42024 could allow an attacker to perform RCE
Critical vulnerability CVE-2024-42019 could allow an attacker to access the NTLM hash of the Veeam Reporter Service service account. User interaction is necessary.
The four high severity vulnerabilities relate to RCE, access to saved credentials, modification of product configuration files, and HTML injection.

Veeam Service Provider Console (VSPC) has four vulnerabilities, with two considered critical and two high severity.

Critical vulnerability CVE-2024-38650 could allow access to the NTLM hash of a service account on the VSPC.
Critical vulnerability CVE-2024-39714 and the two other high severity vulnerabilities could be exploited to achieve RCE

Veeam Backup for Nutanix AHV and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization plug-ins have one privilege escalation vulnerability considered high severity.

Threat updates

Date	Update
10 Sep 2024	Proof-of-concept exploit released for CVE-2024-40711

Remediation advice

Affected organisations are encouraged to review the Veeam Security Bulletin (September 2024) KB4649 and apply the relevant updates.