Advisory September 6, 2024

Critical Vulnerabilities in Veeam Products

Obrela Threat Intelligence Team

Several vulnerabilities have been identified in Veeam products. The vulnerabilities could allow for Remote Code Execution (RCE), Privilege Escalation, Credential Exposure, and more. The vulnerabilities have High and Critical CVSS scores, the highest being 9.8 out of 10.

Description:

Veeam released security patches for several of its products, including Veeam Backup & Replication (VBR), Veeam ONE, Veeam Service Provider Console (VSPC), and more. The numerous vulnerabilities addressed range from credential interception over the network to MFA bypass and unauthenticated RCE on server components.

The most critical of the vulnerabilities is CVE-2024-40711 (CVSS 9.8) and resides on the Veeam Backup & Replication component, allowing for full RCE with no authentication. Other critical or high-risk vulnerabilities for the software include CVE-2024-40710, CVE-2024-42024, CVE-2024-42023, CVE-2024-39714, CVE-2024-39715, CVE-2024-38651.

Since the vulnerabilities were discovered through internal Veeam security audits, no public knowledge of the exploitation specifics or proof-of-concept exploits currently exist; however, it is safe to assume that threat actors are interested in producing working exploits to begin taking advantage of the weaknesses as fast as possible, so prompt patching is highly recommended.

Affected Versions:

  • Veeam Backup & Replication 12.1.2.172 and all earlier version 12 builds.
  • Veeam ONE 12.1.0.3208 and all earlier version 12 builds.
  • Veeam Service Provider Console 8.0.0.19552 and all earlier version 8 builds.
  • Veeam Agent for Linux 6.1.2.1781 and all earlier version 6 builds.
  • Veeam Backup for Nutanix AHV Plug-In 12.5.1.8 and all earlier version 12 builds.
  • Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In 12.4.1.45 and all earlier version 12 builds.

Recommendations:

  • Apply the most recent updates to all Veeam ecosystem components as soon as possible.
  • Ensure automatic updates are enabled for future instances.

References:

https://www.veeam.com/kb4649

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-veeam-products-could-allow-for-remote-code-execution_2024-096

Security spotting