Cloud data management and data backup company Veeam has announced that it has released several patches that address more than a dozen bugs affecting different products. In a security advisory published earlier this week, Veeam said it had fixed a total of 18 bugs, five of which were rated as critical in severity.
The first is an unauthenticated remote code execution vulnerability found in Veeam Backup & Replication. It is known as CVE-2024-40711 and has a severity score of 9.8. The second and third flaws are found in Veeam ONE. CVE-2024-42024, with a severity score of 9.1, allows threat actors possessing Agent service account credentials to perform remote code execution.
On the other hand, CVE-2024-42019 has a slightly lower severity score (9.0) and allows threat actors to access the NTLM hash of the Veeam Reporter Service account.
Safe versions
Additionally, there is a severity 9.9 bug in Veeam Service Provider Console, which grants low-privilege attackers access to the NTLM hash of the service account on the server. This bug is known as CVE-2024-38650. Lastly, CVE-2024-39714, also a severity 9.9 bug, is found in the same software and grants low-privilege users the ability to upload arbitrary files.
The other 13 flaws are mostly high severity and allow for multi-factor authentication (MFA) bypass, privilege escalation, remote code execution (RCE), and more.
To ensure the security of your infrastructure, users are advised to update their software to the following versions:
- Veeam Backup & Replication 12.2 (version 12.2.0.334)
- Veeam Agent for Linux 6.2 (Build 6.2.0.101)
- Veeam ONE v12.2 (Build 12.2.0.4093)
- Veeam Service Provider Console v8.1 (Build 8.1.0.21377)
- Veeam Backup Plugin for Nutanix AHV v12.6.0.632
- Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plugin v12.5.0.299
Through Hacker News