Introduction

Veeam has identified several critical vulnerabilities affecting its software products, including the Veeam Service Provider Console (VSPC) and Veeam Backup & Replication. These vulnerabilities pose significant security risks, such as remote code execution and unauthorized access, necessitating immediate action from users to apply security patches and updates.

Description

Veeam has identified critical vulnerabilities affecting the Veeam Service Provider Console (VSPC) versions 8.1.0.21377 and earlier, specifically CVE-2024-42448 and CVE-2024-42449 [6]. CVE-2024-42448 [1] [2] [3] [4] [5] [6] [7] [8], which has a CVSSv3 score of 9.9 [5] [8], enables remote code execution (RCE) on the VSPC server [5] [8], allowing authenticated attackers to execute malicious code when an authorized management agent is present. CVE-2024-42449 [1] [2] [3] [4] [5] [6] [7] [8], rated at 7.1 [6], poses a risk of leaking the NTLM hash of the VSPC server’s service account and permits file deletion on the server, provided the attacker has access to the management agent machine and authorization on the server.

Both vulnerabilities were discovered during internal testing [2], and while there are currently no reports of in-the-wild exploitation, they present a significant risk to organizations utilizing this software [8]. Over 1.1 million potentially affected VSPC instances have been identified [7], with a substantial number located in the US and Germany [7]. Veeam has released urgent security patches in the 8.1.0.21999 update, addressing these vulnerabilities [2] [6], and service providers using supported versions of VSPC (versions 7 & 8) are strongly urged to upgrade immediately, as there are no available workarounds or mitigations [6]. Those on unsupported versions are also encouraged to upgrade [2], as this is the only method to address these vulnerabilities [2], although Veeam has not conducted tests on these versions [1].

In addition to the vulnerabilities in VSPC, several high-severity vulnerabilities have been discovered in Veeam Backup & Replication. Notably, CVE-2024-40717 [5], which has a CVSSv3 score of 8.8 [8], allows an authenticated attacker to execute a script with elevated privileges [5]. Similarly, CVE-2024-42452 [1] [2] [3] [4] [5] [6] [7] [8], also scoring 8.8, enables an authenticated attacker to remotely upload files to connected ESXi hosts [5]. Other vulnerabilities [1] [2] [3] [5] [6] [7] [8], such as CVE-2024-42453 and CVE-2024-42456, both scoring 8.8, permit authenticated attackers to modify configurations of connected virtual infrastructure hosts and access privileged methods [5], respectively.

Furthermore, vulnerabilities in Veeam Agent for Microsoft Windows allow low-privileged users to perform remote code execution by updating existing jobs with elevated privileges [5]. Risks are also associated with starting an agent remotely in server mode, which can lead to credential theft and privilege escalation to system-level access. Additional vulnerabilities could enable low-privileged users to control and modify configurations on connected virtual infrastructure hosts [5], potentially resulting in Denial of Service (DoS) and data integrity issues due to improper permission checks [5]. Moreover, DLL injection vulnerabilities in Veeam Agent for Windows can occur if the system’s PATH variable includes insecure locations [5], allowing attackers to execute harmful code by placing malicious DLLs in these directories [5].

To ensure security [6], it is crucial for users to apply the latest patches and updates provided by Veeam. The company emphasizes the importance of timely updates to protect against potential exploitation [3]. Effective prioritization of vulnerabilities is essential in maintaining robust security measures, and teams should assess factors such as asset exposure [8], active exploitation [8], and potential business impact to focus on vulnerabilities that truly matter [8]. Organizations are urged to review their Veeam deployments and apply necessary updates to safeguard their infrastructure and client data [3]. In early November [1], Veeam also issued warnings regarding vulnerabilities in Backup Enterprise Manager [1], highlighting the ongoing need for vigilance in security practices.

Conclusion

The identified vulnerabilities in Veeam’s software products underscore the critical need for organizations to remain vigilant and proactive in their cybersecurity efforts. Immediate application of the provided security patches and updates is essential to mitigate these risks. Organizations must prioritize these updates to protect their infrastructure and client data from potential exploitation. Continuous monitoring and assessment of security practices are vital to maintaining a secure environment and preventing future vulnerabilities.

References

[1] https://www.heise.de/en/news/Veeam-Service-Provider-Console-Critical-vulnerability-threatens-client-backups-10188105.html
[2] https://www.helpnetsecurity.com/2024/12/03/vspc-vulnerabilities-cve-2024-42448-cve-2024-42449/
[3] https://thesecmaster.com/blog/veeam-releases-patch-for-its-two-critical-vulnerabilities-in-service-provider-con
[4] https://feedly.com/cve/CVE-2024-42448
[5] https://digital.nhs.uk/cyber-alerts/2024/cc-4584
[6] https://cybermaterial.com/veeam-patches-critical-rce-flaw-in-vspc/
[7] https://www.csoonline.com/article/3617081/veeam-issues-patch-for-critical-rce-bug.html
[8] https://www.scworld.com/news/veeam-patches-bugs-in-vspc-one-leading-to-remote-code-execution