September 5, 2024 at 01:09PM
Veeam has released security updates to fix 18 flaws, including 5 critical vulnerabilities allowing remote code execution in products such as Veeam Backup & Replication and Veeam ONE. The updates also address 13 other high-severity issues, and users are advised to update to the latest versions promptly to mitigate potential threats.
From the meeting notes on September 5, 2024, it is clear that Veeam has released security updates to address a total of 18 security flaws in its software products. Five critical vulnerabilities have been identified, all of which could result in remote code execution.
The specific vulnerabilities and their impact are as follows:
1. CVE-2024-40711 (Veeam Backup & Replication) – Allows unauthenticated remote code execution (CVSS score: 9.8)
2. CVE-2024-42024 (Veeam ONE) – Enables an attacker with Agent service account credentials to perform remote code execution (CVSS score: 9.1)
3. CVE-2024-42019 (Veeam ONE) – Allows an attacker to access the NTLM hash of the Veeam Reporter Service service account (CVSS score: 9.0)
4. CVE-2024-38650 (Veeam Service Provider Console) – Allows a low privileged attacker to access the NTLM hash of the service account on the server (CVSS score: 9.9)
5. CVE-2024-39714 (Veeam Service Provider Console) – Permits a low-privileged user to upload arbitrary files to the server, resulting in remote code execution on the server (CVSS score: 9.9)
In addition to addressing these critical vulnerabilities, the September 2024 updates also address 13 other high-severity flaws, which could lead to privilege escalation, multi-factor authentication (MFA) bypass, and executing code with elevated permissions.
The security updates have been released for various Veeam software products, each with its designated version and build number.
Given that these vulnerabilities could make Veeam software users a lucrative target for threat actors to deploy ransomware, it is advised that users update to the latest version as soon as possible to mitigate potential threats.