Veeam patches 5 critical vulnerabilities, including unauthenticated RCE flaw

Veeam released patches for 13 high-severity and five critical vulnerabilities, including one flaw in Veeam Backup & Replication that could lead to unauthenticated remote code execution (RCE).

The September 2024 Veeam security bulletin, last updated Thursday, includes bugs discovered in six Veeam products, with CVSS scores ranging from 7.3 to 9.9. Of special note is the unauthenticated RCE flaw in Veeam Backup & Replication tracked as CVE-2024-40711, which has a critical CVSS score of 9.8 and was reported by Florian Hauser of CODE WHITE GmbH.

While few details were provided about the vulnerability, CODE WHITE said in a social media post that CVE-2024-40711 could enable “full system takeover.”

“No technical details from us this time because this might instantly be abused by ransomware gangs,” the company stated on X.

Security researchers at watchTowr said they also tested the flaw, stating, “despite shenanigans with CVSS scores, we can confirm the latest Veeam vulnerabilities (CVE-2024-40711) allow auth bypass.”

Veeam vulnerabilities have been targeted by ransomware gangs in the past and users are urged to update their Veeam Backup & Replication instances to version 12.2 to address CVE-2024-40711, along with five other high-severity vulnerabilities.

Additional RCE vulnerabilities patched in Veeam ONE, Service Provider Console

Another critical vulnerability addressed this week is tracked as CVE-2024-42024, which has a CVSS score of 9.1 and could enable RCE on a machine where Veeam ONE Agent is installed, but only by an attacker who is already in possession of Veeam ONE Agent service account credentials.

A second critical Veeam ONE flaw with a CVSS score of 9.0, tracked as CVE-2024-42019, could enable an attacker to obtain the NTLM hash of a Veeam Reporter Service service account, but requires user interaction and access to additional data from Veeam Backup & Replication. Both of these Veeam ONE flaws are addressed in version 12.2, along with four high-severity bugs.

The other two critical vulnerabilities addressed in this week’s bulletin affect Veeam Service Provider Console (VSPC), and both have CVSS scores of 9.9. The first, tracked as CVE-2024-38650, could enable an attacker with low privileges to access the NTLM hash of a service account on a VSPC server, while the second, tracked as CVE-2024-39714, gives low-privileged users the ability to upload arbitrary files to the VSPC server, risking RCE.

The patched version, VSPC version 8.1, resolves both critical flaws along with two high-severity bugs.

The remaining high-severity flaws addressed in the bulletin are in the Veeam Agent for Linux, Veeam Backup for Nutanix AHV and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization. Users should upgrade to Veeam Agent for Linux version 6.2, Veeam Backup for Nutanix AHV plug-in version 12.6.0.632 and Veeam Backup for Oracle Linux Virtualization manager and Red Hat Virtualization plug-in version 12.5.0.299 to address all flaws; these three patches also come included with Veeam Backup & Replication version 12.2.