Skip to main content

Security bulletin addresses critical severity vulnerabilities affecting Backup & Replication, One, Server Provider Console, and other Veeam product lines

Threat ID:CC-4542
Threat Severity:Medium
Published:5 September 2024 4:34 PM

Summary

Security bulletin addresses critical severity vulnerabilities affecting Backup & Replication, One, Server Provider Console, and other Veeam product lines

Affected platforms

The following platforms are known to be affected:

Threat details

Unsupported versions should be considered vulnerable

Veeam states that unsupported product versions are not tested, but are likely affected and should be considered vulnerable.

Public proof-of-concept exploit for CVE-2024-40711

Security researchers have published a proof-of-concept (POC) exploit for CVE-2024-40711. 

Enterprise backup and disaster recovery applications are valuable targets for cyber threat groups. Vulnerabilities in backup and disaster recovery applications are often exploited in-the-wild by ransomware groups shortly after official disclosure, and the NHS England National CSOC assess exploitation as likely for the vulnerabilities covered in this cyber alert.


Introduction

Veeam has issued a security bulletin that addresses 18 vulnerabilities affecting Backup & Replication, ONE, Service Provider Console, Veeam Agent for Linux, Veeam Backup for Nutanix AHV, and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization.

Veeam Backup & Replication is a proprietary backup application for virtual environments built on various hypervisors.



Vulnerability details

Veeam Backup & Replication has six vulnerabilities, with one considered critical and five high severity.

  • The critical vulnerability CVE-2024-40711 could allow an unauthenticated attacker to achieve remote code execution (RCE).
  • The high vulnerabilities relate to multi-factor authentication (MFA) bypass, RCE, extraction of sensitive information, removal of files, interception of credentials during restore operations, and privilege escalation.

Veaam Agent for Linux has one privilege escalation vulnerability considered high severity.

Veeam ONE has six vulnerabilities, with two considered critical and four high severity.

  • Critical vulnerability CVE-2024-42024 could allow an attacker to perform RCE
  • Critical vulnerability CVE-2024-42019 could allow an attacker to access the NTLM hash of the Veeam Reporter Service service account. User interaction is necessary.
  • The four high severity vulnerabilities relate to RCE, access to saved credentials, modification of product configuration files, and HTML injection.

Veeam Service Provider Console (VSPC) has four vulnerabilities, with two considered critical and two high severity.

  • Critical vulnerability CVE-2024-38650 could allow access to the NTLM hash of a service account on the VSPC.
  • Critical vulnerability CVE-2024-39714 and the two other high severity vulnerabilities could be exploited to achieve RCE

Veeam Backup for Nutanix AHV and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization plug-ins have one privilege escalation vulnerability considered high severity.

Threat updates

  
10 Sep 2024Proof-of-concept exploit released for CVE-2024-40711

Remediation advice

Affected organisations are encouraged to review the Veeam Security Bulletin (September 2024) KB4649 and apply the relevant updates.

Definitive source of threat updates

CVE Vulnerabilities

StatusPublished
CVE-2024-40711A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
StatusPublished
CVE-2024-40713A vulnerability that allows a user who has been assigned a low-privileged role within Veeam Backup & Replication to alter Multi-Factor Authentication (MFA) settings and bypass MFA.
StatusPublished
CVE-2024-40710A series of related high-severity vulnerabilities, the most notable enabling remote code execution (RCE) as the service account and extraction of sensitive information (savedcredentials and passwords). Exploiting these vulnerabilities requires a user who has been assigned a low-privileged role within Veeam Backup & Replication.
StatusPublished
CVE-2024-39718An improper input validation vulnerability that allows a low-privileged user to remotely remove files on the system with permissions equivalent to those of the service account.
StatusPublished
CVE-2024-40714An improper certificate validation vulnerability in TLS certificate validation allows an attacker on the same network to intercept sensitive credentials during restore operations.
StatusPublished
CVE-2024-40712A path traversal vulnerability allows an attacker with a low-privileged account and local access to the system to perform local privilege escalation (LPE).
StatusPublished
CVE-2024-40709A missing authorization vulnerability allows a local low-privileged user on the machine to escalate their privileges to root level.
StatusPublished
CVE-2024-42024A vulnerability that allows an attacker in possession of the Veeam ONE Agent service account credentials to perform remote code execution on the machine where the Veeam ONE Agent is installed.
StatusPublished
CVE-2024-42019A vulnerability that allows an attacker to access the NTLM hash of the Veeam Reporter Service service account. This attack requires user interaction and data collected from Veeam Backup & Replication.
StatusPublished
CVE-2024-42023An improper access control vulnerability allows low-privileged users to execute code with Administrator privileges remotely.
StatusPublished
CVE-2024-42021An improper access control vulnerability allows an attacker with valid access tokens to access saved credentials.
StatusPublished
CVE-2024-42022An incorrect permission assignment vulnerability allows an attacker to modify product configuration files.
StatusPublished
CVE-2024-42020A Cross-site-scripting (XSS) vulnerability exists in the Reporter Widgets that allows HTML injection.
StatusPublished
CVE-2024-38650An authentication bypass vulnerability can allow a low privileged attacker to access the NTLM hash of service account on the VSPC server.
StatusPublished
CVE-2024-39714A code injection vulnerability that permits a low-privileged user to upload arbitrary files to the server, leading to remote code execution on VSPC server.
StatusPublished
CVE-2024-39715A code injection vulnerability that allows a low-privileged user with REST API access granted to remotely upload arbitrary files to the VSPC server using REST API, leading to remote code execution on VSPC server.
StatusPublished
CVE-2024-38651A code injection vulnerability can allow a low-privileged user to overwrite files on that VSPC server, which can lead to remote code execution on VSPC server.
StatusPublished
CVE-2024-40718A server side request forgery vulnerability allows a low-privileged user to perform local privilege escalation through exploiting an SSRF vulnerability.

Last edited: 10 September 2024 1:51 pm

Back to top