Veeam alerts on serious security vulnerabilities in their products

Veeam Software, a leading company in data backup and management solutions, has issued a critical security bulletin for September 2024. The release discloses multiple high-risk vulnerabilities affecting several of its core products, including Veeam BackupA backup is a copy of data that is created and stored e… & Replication, Veeam Agent for Linux, Veeam ONE, and Veeam Service Provider Console.

Critical vulnerabilities in Veeam Backup & Replication

The most severe vulnerability, identified as CVE-2024-40711, allows remote code execution without authentication in Veeam Backup & Replication. With a CVSS v3.1 score of 9.8, this flaw poses a critical risk to the security of systems using affected versions of the software.

Other significant vulnerabilities include:

• CVE-2024-40710: A series of high-severity flaws allowing remote code execution and extraction of sensitive information.
• CVE-2024-39718: Enables users with low privileges to remotely delete files.
• CVE-2024-40714: A vulnerability in certificate validation TLSTransport Layer Security (TLS) is a security protocol… that could allow interception of credentials during restoration operations.

Veeam Agent for Linux also affected

The bulletin reveals a high-severity vulnerability (CVE-2024-40709) in Veeam Agent for Linux, allowing local users with low privileges to escalate their permissions to root level.

Security issues in Veeam ONE

Veeam ONE, the company’s monitoring and analytics solution, also presents critical vulnerabilities:

• CVE-2024-42024: Allows remote code execution on machines with Veeam ONE Agent installed.
• CVE-2024-42019: Allows access to the NTLM hash of the Veeam Reporter Service account.

Risks in Veeam Service Provider Console

The bulletin also warns of critical vulnerabilities in Veeam Service Provider Console, including:

• CVE-2024-38650 and CVE-2024-39714: Allow attackers with low privileges to access sensitive information and execute remote code on the VSPC server.

Solutions and recommendations

Veeam has released updates for all affected products:

• Veeam Backup & Replication: Version 12.2 (build 12.2.0.334)
• Veeam Agent for Linux: Version 6.2 (build 6.2.0.101)
• Veeam ONE: Version 12.2 (build 12.2.0.4093)
• Veeam Service Provider Console: Version 8.1 (build 8.1.0.21377)

All Veeam product users are strongly recommended to update their systems to the latest versions to mitigate these security risks.

Source: Veeam