Advisory November 7, 2023

Veeam ONE IT Infrastructure Monitoring and Analytics Platform Vulnerabilities

Veeam has released critical security updates to address four vulnerabilities in its Veeam ONE IT infrastructure monitoring and analytics platform. Two of these vulnerabilities have been rated as critical, with high CVSS base scores, which can lead to remote code execution and the theft of NTLM hashes. These flaws impact actively supported Veeam ONE versions, and patches have been made available to address these issues. Admins are advised to apply the hotfixes promptly.

Details:

  1. CVE-2023-38547 (CVSS score: 9.9)
    • An unspecified flaw allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. This vulnerability can result in remote code execution on the SQL server.
  2. CVE-2023-38548 (CVSS score: 9.8)
    • This vulnerability permits an unprivileged user with access to the Veeam ONE Web Client to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service.
  3. CVE-2023-38549 (CVSS score: 4.5)
    • A Cross-Site Scripting (XSS) vulnerability that allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role.
  4. CVE-2023-41723 (CVSS score: 4.3)
    • This vulnerability allows a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule.

Impacted Versions:

  • CVE-2023-38547, CVE-2023-38548, and CVE-2023-41723 affect Veeam ONE versions 11, 11a, and 12.
  • CVE-2023-38549 affects only Veeam ONE 12.

Patches:

Veeam has released hotfixes to address these vulnerabilities, and the following versions are recommended for deployment:

  • Veeam ONE 11 (11.0.0.1379)
  • Veeam ONE 11a (11.0.1.1880)
  • Veeam ONE 12 P20230314 (12.0.1.2591)

Mitigation Steps:

Administrators should follow these steps to apply the hotfixes:

  1. Stop the Veeam ONE Monitoring and Reporting services on impacted servers.
  2. Replace the existing files on the server with the files provided in the hotfix.
  3. Restart the Veeam ONE Monitoring and Reporting services to deploy the hotfixes.

Additionally, it is recommended to regularly update Veeam ONE to the latest available version to stay protected against future vulnerabilities.

Background:

In the past months, critical vulnerabilities in Veeam’s software have been targeted by various threat actors, including FIN7 and BlackCat ransomware groups, to distribute malware. Veeam ONE is widely used globally, including by Fortune 500 companies and organizations listed in the Global 2,000 annual ranking.

The SOC teams of OBRELA remain vigilant and are closely monitoring clients’ infrastructure regarding potential exploitation attempts.

References:

https://thehackernews.com/2023/11/critical-flaws-discovered-in-veeam-one.html

https://www.veeam.com/kb4508

https://www.bleepingcomputer.com/news/security/cuba-ransomware-uses-veeam-exploit-against-critical-us-organizations/

https://thehackernews.com/2023/08/new-blackcat-ransomware-variant-adopts.html

Start Now