Veeam patches 18 Flaws, 5 critical in its products

Veeam has issued security patches for multiple products, addressing 18 high and critical severity vulnerabilities in its September 2024 security bulletin.

Vulnerabilities affecting Veeam Backup & Replication.

• CVE-2024-40711 (CVSS score 9.8) is a critical RCE flaw in Veeam Backup & Replication (VBR) that allows an unauthenticated attacker to execute arbitrary code remotely, potentially leading to full system takeover.  This vulnerability impacts Veeam Backup & Replication version 12.1.2.172 and all earlier versions of the 12 branch. Users are strongly advised to upgrade to VBR version 12.2.0.334 as soon as possible.
• CVE-2024-40710 (CVSS score: 8.8) Allows remote code execution and sensitive data extraction (e.g., saved credentials and passwords) by a low-privileged user.
• CVE-2024-40713 (CVSS score: 8.8) Enables low-privileged users to alter and bypass Multi-Factor Authentication (MFA).
• CVE-2024-40714 (CVSS score: 8.3) Involves weak TLS certificate validation, allowing credential interception during restore operations on the same network.
• CVE-2024-39718 (CVSS score: 8.1) Permits low-privileged users to remotely remove files with permissions equivalent to the service account.
• CVE-2024-40712 (CVSS score: 7.8) A path traversal vulnerability that allows a local low-privileged user to perform local privilege escalation (LPE).

Vulnerabilities affecting Veeam ONE Products:

• CVE-2024-42024 (CVSS score 9.1): A vulnerability in Veeam ONE that allows attackers with ONE Agent service account credentials to perform RCE on the host machine.
• CVE-2024-42019 (CVSS score 9.0): Allows an attacker to access the NTLM hash of the Reporter Service account, requiring prior data collection through VBR.
• CVE-2024-42023 (CVSS score 8.8) Alows low-privileged users to execute code with Administrator privileges remotely.
• CVE-2024-42021 (CVSS score 7.5) Allows an attacker with valid access tokens to access saved credentials.
• CVE-2024-42022 (CVSS score 7.5) A vulnerability that allows an attacker to modify product configuration files.
• CVE-2024-42020 (CVSS score 7.5) vulnerability in Reporter Widgets that allows HTML injection

Vulnerabilities affecting Veeam Service Provider Console

• CVE-2024-38650 (CVSS score 9.9): Found in Veeam Service Provider Console (VSPC), this flaw allows a low-privileged attacker to access the NTLM hash of the service account on the VSPC server.
• CVE-2024-39714 (CVSS score 9.9): Enables a low-privileged user to upload arbitrary files to the server, resulting in RCE.
• CVE-2024-39715 (CVSS score 8.5) Allows a low-privileged user with REST API access granted to remotely upload arbitrary files to the VSPC server using REST API, leading to remote code execution on VSPC server.
• CVE-2024-38651 (CVSS score 8.5) Permits a low-privileged user to overwrite files on that VSPC server, which can lead to remote code execution on VSPC server.

Vulnerabilities affecting Veeam Backup for Nutanix AHV and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization

• CVE-2024-40718 (CVSS score 8.8) Allows a low-privileged user to perform local privilege escalation through exploiting an SSRF vulnerability.

Vulnerabilities affecting Veeam Agent for Linux

• CVE-2024-40709 (CVSS score 7.8) Allows a local low-privileged user on the machine to escalate their privileges to root level.

Veeam has fixed these issues in the following software versions:

• Veeam Backup & Replication: Version 12.2.0.334
• Veeam Agent for Linux: Version 6.2.0.101
• Veeam ONE: Version 12.2.0.4093
• Veeam Service Provider Console: Version 8.1.0.21377
• Veeam Backup for Nutanix AHV Plug-In: Version 12.6.0.632
• Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In: Version 12.5.0.299

Users are strongly urged to upgrade to the latest versions to mitigate the risks associated with these vulnerabilities.