December 4, 2024 at 01:38PM
Veeam released patches for two vulnerabilities in its Service Provider Console, including a critical remote code execution flaw (CVE-2024-42448) with a CVSS score of 9.9. Service providers are urged to update to version 8.1.0.21999. The second flaw (CVE-2024-42449) allows potential data leaks and file deletion.
### Meeting Takeaways
1. **Vulnerabilities Identified**: Veeam has released patches for two critical vulnerabilities in the Veeam Service Provider Console.
– **CVE-2024-42448**: A critical-severity flaw (CVSS 9.9) that allows for remote code execution (RCE) on the VSPC server under certain conditions.
– **CVE-2024-42449**: A second vulnerability (CVSS 7.1) that may allow leakage of an NTLM hash and file deletion on the VSPC server.
2. **Affected Versions**:
– All versions of Veeam Service Provider Console versions 7 and 8, including version 8.1.0.21377, are affected. Earlier unsupported versions may also be impacted.
3. **Patch Availability**: Both vulnerabilities were discovered during internal testing. Patches are included in version 8.1.0.21999. No temporary mitigation measures are available.
4. **Recommendation for Service Providers**:
– Those using supported versions (7 & 8) should update to the latest cumulative patch.
– Service providers using unsupported versions are urged to upgrade to the latest version of the Veeam Service Provider Console.
5. **Next Steps**: Ensuring all relevant systems are upgraded promptly to mitigate potential risks associated with these vulnerabilities.