Veeam, a leading provider of backup and disaster recovery solutions, has disclosed two significant vulnerabilities affecting its Service Provider Console (VSPC), including a critical remote code execution (RCE) flaw.
The vulnerabilities discovered during internal testing impact VSPC version 8.1.0.21377 and all earlier versions, including builds 8 and 7.
The most severe vulnerability tracked as CVE-2024-42448, has been assigned a critical CVSS v3.1 score of 9.9. This flaw allows attackers to execute arbitrary code on unpatched VSPC servers from the management agent machine, provided the agent is authorized on the server.
The potential for remote code execution poses a significant threat to the security and integrity of affected systems.
Alongside the critical RCE flaw, Veeam also patched a high-severity vulnerability (CVE-2024-42449) with a CVSS v3.1 score of 7.1. This security issue enables attackers to steal the NTLM hash of the VSPC server service account and potentially delete files on the VSPC server.
Like the RCE vulnerability, this flaw can only be exploited if the management agent is authorized on the targeted server.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
Affected Products and Versions
The vulnerabilities impact Veeam Service Provider Console 8.1.0.21377 and all earlier versions of builds 8 and 7. While unsupported product versions were not tested, Veeam warns that they should be considered vulnerable and urges users to upgrade.
Veeam has released security updates to address these vulnerabilities. The company strongly encourages service providers using supported versions of VSPC (versions 7 & 8) to update to the latest cumulative patch immediately. For those using unsupported versions, upgrading to the latest version of the Veeam Service Provider Console is crucial.
It’s important to note that no mitigation method is available for these vulnerabilities. The only effective remedy is to upgrade to the patched version, Veeam Service Provider Console 8.1.0.21999.
The discovery of these vulnerabilities underscores the critical importance of timely patching and updating in maintaining cybersecurity. Recent incidents involving the exploitation of Veeam vulnerabilities, such as the use of CVE-2024-40711 in Frag, Akira, and Fog ransomware attacks, highlight the urgency of addressing these security flaws.
Given Veeam’s extensive customer base, which includes over 550,000 customers worldwide and a significant portion of Global 2,000 and Fortune 500 companies, the potential impact of these vulnerabilities is substantial.
Service providers and enterprises using VSPC are strongly advised to take immediate action to protect their systems and data.
Organizations can promptly apply the available security updates to safeguard their backup and disaster recovery infrastructure against potentially exploiting these critical vulnerabilities.