Veeam has released security updates for several of its products as part of a single September 2024 security bulletin that addresses 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One.

The most severe of the problems addressed is CVE-2024-40711, a critical (CVSS v3.1 score: 9.8) remote code execution (RCE) vulnerability on Veeam Backup & Replication (VBR) that can be exploited without authentication.

VBR is used to manage and secure backup infrastructure for enterprises, so it plays a critical role in data protection. As it can serve as a pivot point for lateral movement, it is considered a high-value target for ransomware operators.

Ransomware actors target the service to steal backups for double-extortion and delete/encrypt backup sets, so victims are left without recovery options.

In the past, the Cuba ransomware gang and FIN7, known to collaborate with Conti, REvil, Maze, Egregor, and BlackBasta, were observed targeting VBR vulnerabilities.

The flaw, which was reported via HackerOne, impacts Veeam Backup & Replication 12.1.2.172 and all earlier versions of the 12 branch.

Although not many details have been disclosed at this time, critical RCE flaws generally allow for a complete system takeover, so users shouldn’t postpone installing the fixes in VBR version 12.2.0.334.

The other flaws listed in the bulletin are related to Backup & Replication versions 12.1.2.172 and older are:

• CVE-2024-40710: Series of vulnerabilities enabling remote code execution (RCE) and sensitive data extraction (saved credentials and passwords) by a low-privileged user. (CVSS score: 8.8 “high”)
• CVE-2024-40713: Low-privileged users can alter Multi-Factor Authentication (MFA) settings and bypass MFA. (CVSS score: 8.8 “high”)
• CVE-2024-40714: Weak TLS certificate validation allows credential interception during restore operations on the same network. (CVSS score: 8.3 “high”)
• CVE-2024-39718: Low-privileged users can remotely remove files with permissions equivalent to the service account. (CVSS score: 8.1 “high”)
• CVE-2024-40712: Path traversal vulnerability allows a local low-privileged user to perform local privilege escalation (LPE). (CVSS score: 7.8 “high”)

More critical flaws in Veeam products

On the same bulletin, Veeam lists four more critical-severity vulnerabilities impacting its Service Provider Console versions 8.1.0.21377 and earlier and ONE products versions 12.1.0.3208 and older.

Starting with CVE-2024-42024 (CVSS score 9.1), an attacker with ONE Agent service account credentials can perform remote code execution on the host machine.

Veeam ONE is also impacted by CVE-2024-42019 (CVSS score 9.0), which allows an attacker to access the NTLM hash of the Reporter Service account. Exploiting this flaw requires previous data collection through VBR.

In Veeam Service Provider Console, there’s CVE-2024-38650 (CVSS score 9.9) which allows a low-privileged attacker to access the NTLM hash of the service account on the VSPC server.

The second critical problem is tracked as CVE-2024-39714 (CVSS score 9.9) and enables a low-privileged user to upload arbitrary files onto the server, leading to remote code execution.

All issues were fixed in Veeam ONE version 12.2.0.4093 and Veeam Service Provider Console version 8.1.0.21377, which users should upgrade to as soon as possible.