Veeam fixes several security vulnerabilities - code smuggling possible
Attackers were also able to remotely delete their own files, manipulate authentication and elevate their privileges. Patches are available.
(Image: kubais / Shutterstock.com)
Various products from backup specialist Veeam suffered from security vulnerabilities, some of them critical, which the manufacturer has now fixed and published in its monthly security notice. The flaws include those that allow attackers and ransomware gangs to access backups and servers.
Veeam Backup & Replication
A critical vulnerability (CVE-2024-40711, CVSS 9.8) in "Veeam Backup & Replication" allows attackers without a user account to remotely execute their own code (Remote Code Execution, RCE). Veeam is silent on the details of the bug as well as all other bugs and does not provide an assessment of their active exploitation.
Other high-severity vulnerabilities in Backup & Replication allow authenticated attackers to bypass multi-factor authentication (CVE-2024-40713, CVSS 8.8), code execution and information leakage (CVE-2024-40710, CVSS 8.8), file deletion (CVE-2024-39718, CVSS 8.1), interception of user credentials (CVE-2024-40714, CVSS 8.3) and local privilege escalation (CVE-2024-40712, CVSS 7.8).
The vulnerabilities affect all 12 versions up to and including 12.1.2.172 and are fixed in version 12.2.0.334.
Veeam Agent for Linux
There is a bug in the Veeam Linux client version 6 that allows local privilege escalation (LPE). The vulnerability has the CVE ID CVE-2024-40709 and has a high severity level with a CVSS score of 7.8. Attackers who have a user account on the target computer can extend their rights to the system user "root". The vulnerability has been fixed in version 6.2.0.101 of the Linux agent.
Veeam ONE
The Veeam One monitoring software contains an "unplanned maintenance interface" –, i.e. an RCE vulnerability – and other bugs. Two of them, namely the RCE bug CVE-2024-42024 (CVSS 9.1) and a leak of a local NTLM hash (CVE-2024-42019, CVSS 9.0) are classified as critical.
Other high-severity bugs in Veeam One allow code execution with administrator privileges (CVE-2024-42023, CVSS 8.8), credential harvesting (CVE-2024-42021, CVSS 7.5), configuration file manipulation (CVE-2024-42022, CVSS 7.5) and HTML injection (CVE-2024-42020, CVSS 7.3).
All versions with major number 12 including Veeam One 12.1.0.3208 are affected, 12.2.0.4093 fixes the vulnerabilities.
Veeam Service Provider Console
There are also security issues in the Service Provider Console (VSPC), including two critical ones with an almost perfect CVSS score of 9.9. These vulnerabilities are CVE-2024-38650, which leaks the NTLM hash of the VSPC account to a logged-in attacker, and CVE-2024-39714, a file upload vulnerability that allows attackers with low privileges to execute their own code via the illegally uploaded files.
Users with a VSPC account can also upload or overwrite arbitrary files, resulting in two more RCE bugs with high severity and CVE IDs CVE-2024-39715 (CVSS 8.5, prerequisite: REST API access) and CVE-2024-38651 (CVSS 8.5).
According to Veeam's security advisory, the bugs are included in version 8 up to and including 8.1.0.21377, but have already been fixed in the same version. Veeam does not resolve the contradiction – it is to be assumed that the update actually corrects the errors.
Veeam Backup for Nutanix & Co.
In the backup solutions for Nutanix, Oracle Linux Virtualization Manager and Red Hat Virtualization, the Veeam security experts also found a flaw with high severity in internal tests, which allowed privilege escalation by means of an SSRF attack (Server-Side Request Forgery). The bug with CVE-ID CVE-2024-40718 is contained in version 12.5.1.8 of the Nutanix AHV plugin as well as in version 12.4.1.45 of the Oracle/Red Hat plugin and all older versions with major version number 12. To eliminate it, administrators must update to Veeam Backup & Replication 12.2 and thus update the plugins to v12.6.0.632 (Nutanix) or 12.5.0.299 (Oracle / Red Hat).
In any case, administrators should react quickly. Even if Veeam has not published any warnings about proof-of-concept exploits or even exploitation by cybercrime gangs, the vulnerabilities jeopardize the usability of backups – which can lead to significant consequences in the event of a ransomware attack.
(cku)
