Source: www.csoonline.com – Author:
The security flaw could allow threat actors to execute arbitrary code on unpatched Veeam Service Provider Console server machines.
Veeam is warning its customers of two vulnerabilities, of which one is a critical RCE bug, affecting the Service Provider Console (VSPC), a web-based management platform for managed service providers (MSPs).
On Tuesday, the data protection and backup solutions provider that powers IT systems availability for leading brands like Cisco, Lenovo, and NASA, issued an advisory stating the exploitation of the bugs is possible only under certain circumstances.
While an update with the necessary patches has been released, there is presently no mitigation available for flawed instances.
Critical RCE bug discovered during testing
The first flaw fixed in the said update tracked as CVE-2024-42448, is a critical remote code execution (RCE) bug that could allow threat actors to execute arbitrary code on unpatched VSPC server machines.
“From the VSPC management agent machine, under the condition that the management agent is authorized on the server, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine,” Veeam said.
The vulnerability, which was reportedly discovered during Veeam’s internal testing, has received a critical rating with a CVSS score of 9.9/10.
A quick scan on the popular leak search platform LeakIX, at the time of publishing this article, revealed over a million (1186722) potentially affected VSPC instances on the internet, with about half of them in the US and Germany alone.
The vulnerability affects VSPC versions 8.1.0.21377 and earlier (8 and & builds), and has been fixed within the 8.1.0.21999 update. “Unsupported product versions are not tested, but are likely affected and should be considered vulnerable,” the company wrote.
Another high-severity bug found
Along with the critical RCE bug, Veeam issued alerts for another high-severity flaw, tracked as CVE-2024-42449, which allowed attackers to perform unauthorized deletion of VSPC server files.
“From the VSPC management agent machine, under the condition that the management agent is authorized on the server, it is possible to leak an NTLM hash of the VSPC server service account and delete files on the VSPC server machine,” Veeam said.
The flaw which received a 7.1/10 CVSS score was fixed in the same update and, like the RCE bug, was reported not to be affecting any other Veeam products such as Veeam Backup and Replication (VBR), Veeam Agent for Microsoft Windows and Veeam ONE. Another critical RCE flaw affecting Veeam’s VBR, tracked as CVE-2024-40711, was disclosed earlier in September and was later reported as being exploited as one of Akira and Fog ransomware N-day infections.
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
Original Post url: https://www.csoonline.com/article/3617081/veeam-issues-patch-for-critical-rce-bug.html
Category & Tags: Security, Vulnerabilities – Security, Vulnerabilities
Views: 2