Backup management tool: Malicious code gap threatens Veeam Service Provider
To close a critical vulnerability, admins should update Veeam Service Provider promptly.
(Image: Tatiana Popova/Shutterstock.com)
Attackers can attack systems with the backup management tool Veeam Service Provider and, in the worst case, execute their own code to completely compromise computers. Secure versions are available for download.
Critical vulnerability
According to a warning message from Veeam, the vulnerability (CVE-2024-29212) is classified as"critical". The vulnerability is located in Veeam Service Provider Console (VSPC). Versions 4.0, 5.0, 6.0, 7.0 and 8.0 are affected. However, other products are not said to be at risk. The VSCP uses an insecure method to deserialize data.
Because input verification is not sufficient, a remote attacker can inject and execute malicious code under certain unspecified conditions. To protect systems, admins must install VSPC issue 7.0.0.18899 or 8.0.0.19236. As support for 4.0, 5.0 and 6.0 has already expired and there are no more security updates for these versions, admins should upgrade to the secure versions. Otherwise, systems will remain vulnerable.
Veeam claims to have discovered the vulnerability during internal testing. So far, there have been no reports of ongoing attacks.
Veeam last had to patch its Recovery Orchestrator software in February. Attackers had previously been able to abuse two security vulnerabilities to extend their rights to the system.
(des)