Veeam Software Security Advisories on Resolved Vulnerabilities

Veeam Software Inc. had published 2 security advisories concerning resolved vulnerabilities.

Veeam Service Provider Console Vulnerabilities (CVE-2024-42448 | CVE-2024-42449)

KB ID:	4679
Product:	Veeam Service Provider Console \| 8.1
Published:	2024-12-03
Last Modified:	2024-12-03

This article documents a vulnerability discovered in Veeam Service Provider Console.

This vulnerability does not affect other Veeam products (e.g., Veeam Backup & Replication, Veeam Agent for Microsoft Windows, Veeam ONE).

Issue details
All vulnerabilities disclosed in this section affect Veeam Service Provider Console 8.1.0.21377 and all earlier versions 8 and 7 builds.
_{Unsupported product versions are not tested, but are likely affected and should be considered vulnerable.}

CVE-2024-42448
From the VSPC management agent machine, under the condition that the management agent is authorized on the server, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.
Severity: Critical
CVSS v3.1 Score: 9.9
Source: Discovered during internal testing.

CVE-2024-42449
From the VSPC management agent machine, under the condition that the management agent is authorized on the server, it is possible to leak an NTLM hash of the VSPC server service account and delete files on the VSPC server machine.
Severity: High
CVSS v3.1 Score: 7.1
Source: Discovered during internal testing.

Solution
The vulnerability documented in this article was fixed starting in the following builds of Veeam Service Provider Console:

Veeam Service Provider Console 8.1.0.21999

Critical update
We encourage service providers using supported versions of Veeam Service Provider Console (versions 7 & 8) to update to the latest cumulative patch. Service Providers using unsupported versions are strongly encouraged to upgrade to the latest version of Veeam Service Provider Console.

No Mitigations Available

No mitigation method is available for these vulnerabilities. The only remedy is to upgrade to the latest version of Veeam Service Provider Console.

To submit feedback regarding this article, please click this link: Send Article Feedback

Vulnerabilities Resolved in Veeam Backup & Replication 12.3

KB ID:	4693
Product:	Veeam Backup & Replication \| 12 \| 12.1 \| 12.2 Veeam Agent for Microsoft Windows \| 6.0 \| 6.1 \| 6.2
Published:	2024-12-03
Last Modified:	2024-12-03

All vulnerabilities documented in this article were resolved in Veeam Backup & Replication 12.3.

Veeam Product Latest Version Download Page

Veeam Backup & Replication Issue Details
All vulnerabilities disclosed in this section affect Veeam Backup & Replication 12.2.0.334 and all earlier version 12 builds.
_{Unsupported product versions are not tested, but are likely affected and should be considered vulnerable.}

CVE-2024-40717
A vulnerability allows an authenticated user with a role assigned in the Users and Roles settings on the backup server to execute a script with elevated privileges by configuring it as a pre-job or post-job task, thereby causing the script to be executed as LocalSystem.
Severity: High
CVSS v3.1 Score: 8.8
Source: Discovered during internal testing.

CVE-2024-42451
A vulnerability allows an authenticated user with a role assigned in the Users and Roles settings on the backup server to access all saved credentials in a human-readable format.
Severity: High
CVSS v3.1 Score: 7.7
Source: Discovered during internal testing.

CVE-2024-42452
A vulnerability allows an authenticated user with a role assigned in the Users and Roles settings on the backup server to remotely upload files to connected ESXi hosts with elevated privileges.
Severity: High
CVSS v3.1 Score: 8.8
Source: Discovered during internal testing.

CVE-2024-42453
A vulnerability allows an authenticated user with a role assigned in the Users and Roles settings on the backup server to control and modify the configuration of connected virtual infrastructure hosts.
Severity: High
CVSS v3.1 Score: 8.8
Source: Discovered during internal testing.

CVE-2024-42455
A vulnerability that allows an authenticated user with a role assigned in the Users and Roles settings on the backup server to connect to remote services and exploit insecure deserialization by sending a serialized temporary file collection, thereby enabling the deletion of any file on the system with service account privileges.
Severity: High
CVSS v3.1 Score: 7.1
Source: Reported via HackerOne.

CVE-2024-42456
A vulnerability that allows an authenticated user with a role assigned in the Users and Roles settings on the backup server to gain access to privileged methods and control critical services.
Severity: High
CVSS v3.1 Score: 8.8
Source: Reported via HackerOne.

CVE-2024-42457
A vulnerability that allows an authenticated user with certain assigned operator roles in the Users and Roles settings on the backup server to expose saved credentials by leveraging a combination of methods in the remote management interface.
Severity: High
CVSS v3.1 Score: 7.7
Source: Discovered during internal testing.

CVE-2024-45204
A vulnerability that allows an authenticated user with an assigned role in the Users and Roles settings on the backup server to exploit insufficient permissions in credential handling, potentially leading to the leakage of NTLM hashes of saved credentials.
Severity: High
CVSS v3.1 Score: 7.7
Source: Discovered during internal testing.

Solution
The vulnerabilities documented in this section were fixed starting in the following build:

Veeam Backup & Replication 12.3 (build 12.3.0.310)

Mitigation information
The Veeam Backup & Replication vulnerabilities discussed in this section are related to the ability of an authenticated malicious user with a limited rôle (Viewer/Operator) to perform certain actions that are normally only possible with administrative privileges on the backup server. To mitigate these vulnerabilities until the backup server can be upgraded to version 12.3, simply remove untrusted and/or unnecessary users from the Users and Roles settings on the backup server for the time being.

Review all users assigned a Role within Veeam Backup & Replication.
For each user with an Operator or View role, assess internal necessity and remove access for users who do not strictly need it.

Veeam Agent for Microsoft Windows

Issue details
The vulnerability disclosed in this section affects Veeam Agent for Microsoft Windows 6.2 and all earlier version 6 builds.
_{Unsupported product versions are not tested, but are likely affected and should be considered vulnerable.}

CVE-2024-45207
A vulnerability could lead to a DLL injection attack when the PATH environment variable is altered to include directories where an attacker can write files.
Severity: High
CVSS v3.1 Score: 7.0
Source: Reported via HackerOne.

Solution
The vulnerability documented in this section was fixed starting in the following build:

Veeam Agent for Microsoft Windows 6.3 (build 6.3.0.177) — Included with Veeam Backup & Replication 12.3

Mitigation information
The Veeam Agent for Microsoft Windows vulnerability discussed in this section can only be exploited in environments where directories that can be written to by untrusted users have been added to the PATH environment variable and whose presence is classified as a known CWE-426 weakness. As such, this vulnerability can be mitigated by removing such directories from the PATH variable.
Note: The default Windows PATH environment variable does not include paths writable by untrusted users.

To submit feedback regarding this article, please click this link: Send Article Feedback