Skip to main content

The security updates address one critical and ten high severity vulnerabilities

Threat ID:CC-4584
Threat Severity:Medium
Published:4 December 2024 3:30 PM

Summary

The security updates address one critical and ten high severity vulnerabilities

Affected platforms

The following platforms are known to be affected:

Versions: 8.1.0.21377 and earlier
Veeam Service Provider Console
Versions: 12.2.0.334 and earlier
Veeam Backup & Replication
Versions: 6.2 and earlier
Veeam Agent for Microsoft Windows

Threat details

Introduction

Veeam has released updates addressing one critical and one high severity vulnerability in Service Provider Console. Nine further high severity vulnerabilities, eight in Backup & Replication and one in Veeam Agent for Microsoft Windows, were also addressed. A few vulnerabilities of note are listed below.



Vulnerability Details

Two vulnerabilities affect Veeam Service Provider Console:

  • CVE-2024-42448 has a CVSSv3 score of 9.9 and could allow an attacker with low privileges to achieve remote code execution (RCE) on the VSPC server machine.
  • CVE-2024-42449 has a CVSSv3 score of 7.1 and could allow an attacker with low privileges to leak the NTLM hash of the VSPC server service account and delete files on the VSPC server.

Eight further high severity vulnerabilities affect Veeam Backup & Replication. Four are highlighted:

  • CVE-2024-40717 has a CVSSv3 score of 8.8 and could allow an authenticated attacker with a role assigned in the 'Users and Roles settings' on the backup server to execute a script with elevated privileges.
  • CVE-2024-42452 has a CVSSv3 score of 8.8 and could allow an authenticated attacker to remotely upload files to connected ESXi hosts.
  • CVE-2024-42453 has a CVSSv3 score of 8.8 and could allow an authenticated attacker to modify the configuration of connected virtual infrastructure hosts. 
  • CVE-2024-42456 has a CVSSv3 score of 8.8 and could allow an authenticated attacker to gain access to privileged methods and control critical services.

One further vulnerability affects Veeam Agent for Microsoft Windows. 

  • CVE-2024-45207 has a CVSSv3 score of 7.0 and could lead to a DLL injection attack when the PATH environment variable is altered to include directories where an attacker can write files.

Remediation advice

Affected organisations are encouraged to review the Veeam Advisories kb4679 and kb4693, and apply the relevant updates.

Definitive source of threat updates

CVE Vulnerabilities

StatusPublished
CVE-2024-42449From the VSPC management agent machine, under condition that the management agent is authorized on the server, it is possible to remove arbitrary files on the VSPC server machine.
StatusReserved
CVE-2024-42448
StatusPublished
CVE-2024-40717A vulnerability in Veeam Backup & Replication allows a low-privileged user with certain roles to perform remote code execution (RCE) by updating existing jobs. These jobs can be configured to run pre- and post-scripts, which can be located on a network share and are executed with elevated privileges by default. The user can update a job and schedule it to run almost immediately, allowing arbitrary code execution on the server.
StatusPublished
CVE-2024-42452A vulnerability in Veeam Backup & Replication allows a low-privileged user to start an agent remotely in server mode and obtain credentials, effectively escalating privileges to system-level access. This allows the attacker to upload files to the server with elevated privileges. The vulnerability exists because remote calls bypass permission checks, leading to full system compromise.
StatusPublished
CVE-2024-42453A vulnerability Veeam Backup & Replication allows low-privileged users to control and modify configurations on connected virtual infrastructure hosts. This includes the ability to power off virtual machines, delete files in storage, and make configuration changes, potentially leading to Denial of Service (DoS) and data integrity issues. The vulnerability is caused by improper permission checks in methods accessed via management services.
StatusPublished
CVE-2024-42456A vulnerability in Veeam Backup & Replication platform allows a low-privileged user with a specific role to exploit a method that updates critical configuration settings, such as modifying the trusted client certificate used for authentication on a specific port. This can result in unauthorized access, enabling the user to call privileged methods and initiate critical services. The issue arises due to insufficient permission requirements on the method, allowing users with low privileges to perform actions that should require higher-level permissions.
StatusPublished
CVE-2024-45207DLL injection in Veeam Agent for Windows can occur if the system's PATH variable includes insecure locations. When the agent runs, it searches these directories for necessary DLLs. If an attacker places a malicious DLL in one of these directories, the Veeam Agent might load it inadvertently, allowing the attacker to execute harmful code. This could lead to unauthorized access, data theft, or disruption of services

Last edited: 4 December 2024 3:30 pm

Back to top