Veeam has rolled out security patches to correct a total of 18 security weaknesses affecting its software offerings, inclusive of five crucial vulnerabilities that could facilitate remote code execution.
The flaws are listed below
- CVE-2024-39714 (CVSS score: 9.9): This vulnerability exists in VPSC. It permits a user with minimal privileges to upload any files to the server, leading to remote code execution on the server.
- CVE-2024-38650 (CVSS score: 9.9): This flaw is present in the Veeam Service Provider Console (VPSC) and allows a low-privilege attacker to access the NTLM hash of the service account on the server.
- CVE-2024-42019 (CVSS score: 9.0): This vulnerability exists within Veeam ONE. It allows an attacker to gain access to the NTLM hash of the Veeam Reporter Service account.
- CVE-2024-42024 (CVSS score: 9.1): This weakness is found within Veeam ONE. It allows an attacker possessing the Agent service account credentials to execute remote code on the respective machine.
- CVE-2024-40711 (CVSS score: 9.8): This vulnerability lies within Veeam Backup & Replication, enabling unauthenticated remote code execution.
Furthermore, the September 2024 software revisions correct 13 other high-severity vulnerabilities that may allow privilege escalation, sidestepping of multi-factor authentication (MFA), and execution of code with increased permissions.
All the problems have been rectified in the subsequent versions –
- Veeam Backup & Replication 12.2 (build 12.2.0.334)
- Veeam Agent for Linux 6.2 (build 6.2.0.101)
- Veeam ONE v12.2 (build 12.2.0.4093)
- Veeam Service Provider Console v8.1 (build 8.1.0.21377)
- Veeam Backup for Nutanix AHV Plug-In v12.6.0.632
- Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In v12.5.0.299
Given that vulnerabilities in Veeam software have become an attractive target for cyberthreat actors aiming to deploy ransomware, it is highly recommended for users to upgrade to these latest versions at the earliest in order to counter potential threats.
