Article Details

Veeam warns of critical RCE flaw in Backup & Replication software. Veeam has released security updates for several of its products as part of a single September 2024 security bulletin that addresses 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One. The most severe of the problems addressed is CVE-2024-40711, a critical (CVSS v3.1 score: 9.8) remote code execution (RCE) vulnerability on Veeam Backup & Replication (VBR) that can be exploited without authentication. VBR is used to manage and secure backup infrastructure for enterprises, so it plays a critical role in data protection. As it can serve as a pivot point for lateral movement, it is considered a high-value target for ransomware operators. Ransomware actors target the service to steal backups for double-extortion and delete/encrypt backup sets, so victims are left without recovery options. In the past, the Cuba ransomware gang and FIN7, known to collaborate with Conti, REvil, Maze, Egregor, and BlackBasta, were observed targeting VBR vulnerabilities. The flaw, which was reported via HackerOne, impacts Veeam Backup & Replication 12.1.2.172 and all earlier versions of the 12 branch. Although not many details have been disclosed at this time, critical RCE flaws generally allow for a complete system takeover, so users shouldn't postpone installing the fixes in VBR version 12.2.0.334. The other flaws listed in the bulletin are related to Backup & Replication versions 12.1.2.172 and older are: More critical flaws in Veeam products On the same bulletin, Veeam lists four more critical-severity vulnerabilities impacting its Service Provider Console versions 8.1.0.21377 and earlier and ONE products versions 12.1.0.3208 and older. Starting with CVE-2024-42024 (CVSS score 9.1), an attacker with ONE Agent service account credentials can perform remote code execution on the host machine. Veeam ONE is also impacted by CVE-2024-42019 (CVSS score 9.0), which allows an attacker to access the NTLM hash of the Reporter Service account. Exploiting this flaw requires previous data collection through VBR. In Veeam Service Provider Console, there's CVE-2024-38650 (CVSS score 9.9) which allows a low-privileged attacker to access the NTLM hash of the service account on the VSPC server. The second critical problem is tracked as CVE-2024-39714 (CVSS score 9.9) and enables a low-privileged user to upload arbitrary files onto the server, leading to remote code execution. All issues were fixed in Veeam ONE version 12.2.0.4093 and Veeam Service Provider Console version 8.1.0.21377, which users should upgrade to as soon as possible.