Veeam Product Security Update Advisory

Sep 09 2024

Overview

An update has been released to address vulnerabilities in Veeam Products. Users of the affected versions are advised to update to the latest version.

Affected Products

CVE-2024-40710, CVE-2024-40711, CVE-2024-40712, CVE-2024-40713, CVE-2024-40714, CVE-2024-39718

Veeam Backup & Replication versions: ~ 12.1.2.172 (inclusive)

CVE-2024-40709

Veeam Agent for Linux versions: ~ 6.1.2.1781 (inclusive)

CVE-2024-42019, CVE-2024-42020, CVE-2024-42021, CVE-2024-42022, CVE-2024-42023, CVE-2024-42024

Veeam ONE versions: ~ 12.1.0.3208 (inclusive)

CVE-2024-38650, CVE-2024-39714, CVE-2024-39715, CVE-2024-38651

Veeam Service Provider Console versions: ~ 8.0.0.19552 (inclusive)

CVE-2024-40718

Veeam Backup for Nutanix AHV Plug-In versions: ~ 12.5.1.8 (inclusive)
Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In versions: ~ 12.4.1.45 (inclusive)

Resolved Vulnerabilities

Remote code execution vulnerability due to deserialization of untrusted data and malicious payload (CVE-2024-40711)

Vulnerability that could allow a user with a low privilege role to change multi-factor authentication (MFA) settings and bypass MFA (CVE-2024-40713)

Vulnerability that could allow remote code execution (RCE) with a service account and extract sensitive information (stored credentials and passwords) (CVE-2024-40710)

Improper input validation vulnerability that could allow a low-privileged user to remotely remove files on the system with the same privileges as the service account (CVE-2024-39718)

Vulnerability in TLS certificate validation that could allow an attacker on the same network to intercept sensitive credentials during a recovery operation (CVE-2024-40714)

A path traversal vulnerability that could allow an attacker with local access to low-privileged accounts and systems to perform local privilege elevation (LPE) (
CVE-2024-40712)

Missed authorization vulnerability that allows a low-privileged local user to elevate their privileges to the root level (CVE-2024-40709)

Vulnerability that could allow an attacker to access the NTLM hash of the Veeam Reporter Service service account (CVE-2024-42019)

Vulnerability in the Reporter widget that allows HTML injection (CVE-2024-42020)

Vulnerability that could allow an attacker with a valid access token to access stored credentials (CVE-2024-42021)

Vulnerability that could allow an attacker to modify product configuration files (CVE-2024-42022)

Vulnerability that allows a low-privileged user to remotely execute code with administrator privileges (CVE-2024-42023)

Vulnerability that could allow remote code execution on a computer with Veeam ONE Agent installed if the attacker possesses Veeam ONE Agent service account credentials (CVE-2024-42024)

Vulnerability that could allow a low-privileged attacker to access the NTLM hash of a service account on a VSPC server (CVE-2024-38650)

Vulnerability that allows a low privileged user to upload arbitrary files to the server, allowing remote code execution on the VSPC server (CVE-2024-39714)

Vulnerability that allows a low privileged user with REST API access to remotely upload arbitrary files to the VSPC server using the REST API (CVE-2024-39715)

Vulnerability that could allow a low-privileged user to overwrite files on the VSPC server (CVE-2024-38651)

Vulnerability that could allow a low privileged user to perform local privilege escalation by exploiting an SSRF vulnerability (CVE-2024-40718)

Vulnerability Patches

The following product-specific Vulnerability Patches have been made available with the latest update. If you are using an affected version, Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2024-40710, CVE-2024-40711, CVE-2024-40712, CVE-2024-40713, CVE-2024-40714, CVE-2024-39718

Veeam Backup & Replication version: 12.2.0.334 (see reference[2])

CVE-2024-40709

Veeam Agent for Linux version: 6.2.0.101 (see reference[2])

CVE-2024-42019, CVE-2024-42020, CVE-2024-42021, CVE-2024-42022, CVE-2024-42023, CVE-2024-42024

Veeam ONE version: 12.2.0.4093 (see reference[3])

CVE-2024-38650, CVE-2024-39714, CVE-2024-39715, CVE-2024-38651

Veeam Service Provider Console version: 8.1 (see reference[4])

CVE-2024-40718

Veeam Backup for Nutanix AHV Plug-In version: 12.6.0.632 (see reference[5])
Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In version: 12.5.0.299 (see reference[6])

References

[1] Veeam Security Bulletin (September 2024)

https://www.veeam.com/kb4649

[2] Release Information for Veeam Backup & Replication 12.2

https://www.veeam.com/kb4600

[3] Build Numbers and Versions of Veeam ONE

https://www.veeam.com/kb4357

[4] Build Numbers and Versions of Veeam Service Provider Console

https://www.veeam.com/kb4464

[5] Build Numbers and Versions of Veeam Backup for Nutanix AHV

https://www.veeam.com/kb4299

[6] Build Numbers and Versions of Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization

https://www.veeam.com/kb4362

Veeam Product Security Update Advisory

Cisco Products September 2024 First Security Update Advisory

IBM Product Security Update Advisory

Tags:

Cisco Products September 2024 First Security Update Advisory

IBM Product Security Update Advisory