Veeam Releases Updates for Service Provider Console and Backup & Replication

The security updates address one critical and ten high severity vulnerabilities

Threat ID:: CC-4584
Threat Severity:: Medium
Published:: 4 December 2024 3:30 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

The security updates address one critical and ten high severity vulnerabilities

Affected platforms

The following platforms are known to be affected:

Versions: 8.1.0.21377 and earlier

Veeam Service Provider Console

Versions: 12.2.0.334 and earlier

Veeam Backup & Replication

Versions: 6.2 and earlier

Veeam Agent for Microsoft Windows

Threat details

Introduction

Veeam has released updates addressing one critical and one high severity vulnerability in Service Provider Console. Nine further high severity vulnerabilities, eight in Backup & Replication and one in Veeam Agent for Microsoft Windows, were also addressed. A few vulnerabilities of note are listed below.

Vulnerability Details

Two vulnerabilities affect Veeam Service Provider Console:

CVE-2024-42448 has a CVSSv3 score of 9.9 and could allow an attacker with low privileges to achieve remote code execution (RCE) on the VSPC server machine.
CVE-2024-42449 has a CVSSv3 score of 7.1 and could allow an attacker with low privileges to leak the NTLM hash of the VSPC server service account and delete files on the VSPC server.

Eight further high severity vulnerabilities affect Veeam Backup & Replication. Four are highlighted:

CVE-2024-40717 has a CVSSv3 score of 8.8 and could allow an authenticated attacker with a role assigned in the 'Users and Roles settings' on the backup server to execute a script with elevated privileges.
CVE-2024-42452 has a CVSSv3 score of 8.8 and could allow an authenticated attacker to remotely upload files to connected ESXi hosts.
CVE-2024-42453 has a CVSSv3 score of 8.8 and could allow an authenticated attacker to modify the configuration of connected virtual infrastructure hosts.
CVE-2024-42456 has a CVSSv3 score of 8.8 and could allow an authenticated attacker to gain access to privileged methods and control critical services.

One further vulnerability affects Veeam Agent for Microsoft Windows.

CVE-2024-45207 has a CVSSv3 score of 7.0 and could lead to a DLL injection attack when the PATH environment variable is altered to include directories where an attacker can write files.

Remediation advice

Affected organisations are encouraged to review the Veeam Advisories kb4679 and kb4693, and apply the relevant updates.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2024-42449

From the VSPC management agent machine, under condition that the management agent is authorized on the server, it is possible to remove arbitrary files on the VSPC server machine.

Status Reserved

CVE-2024-42448

Status Published

CVE-2024-40717

A vulnerability in Veeam Backup & Replication allows a low-privileged user with certain roles to perform remote code execution (RCE) by updating existing jobs. These jobs can be configured to run pre- and post-scripts, which can be located on a network share and are executed with elevated privileges by default. The user can update a job and schedule it to run almost immediately, allowing arbitrary code execution on the server.

Status Published

CVE-2024-42452

A vulnerability in Veeam Backup & Replication allows a low-privileged user to start an agent remotely in server mode and obtain credentials, effectively escalating privileges to system-level access. This allows the attacker to upload files to the server with elevated privileges. The vulnerability exists because remote calls bypass permission checks, leading to full system compromise.

Status Published

CVE-2024-42453

A vulnerability Veeam Backup & Replication allows low-privileged users to control and modify configurations on connected virtual infrastructure hosts. This includes the ability to power off virtual machines, delete files in storage, and make configuration changes, potentially leading to Denial of Service (DoS) and data integrity issues. The vulnerability is caused by improper permission checks in methods accessed via management services.

Status Published

CVE-2024-42456

A vulnerability in Veeam Backup & Replication platform allows a low-privileged user with a specific role to exploit a method that updates critical configuration settings, such as modifying the trusted client certificate used for authentication on a specific port. This can result in unauthorized access, enabling the user to call privileged methods and initiate critical services. The issue arises due to insufficient permission requirements on the method, allowing users with low privileges to perform actions that should require higher-level permissions.

Status Published

CVE-2024-45207

DLL injection in Veeam Agent for Windows can occur if the system's PATH variable includes insecure locations. When the agent runs, it searches these directories for necessary DLLs. If an attacker places a malicious DLL in one of these directories, the Veeam Agent might load it inadvertently, allowing the attacker to execute harmful code. This could lead to unauthorized access, data theft, or disruption of services

Last edited: 4 December 2024 3:30 pm