Published: November 21, 2023

Overview

The backup and disaster recovery company, Veeam, has disclosed multiple vulnerabilities within their enterprise backup product, Veeam ONE. Several of these vulnerabilities have been listed as critical with CVSS scores of 9 or above. CVE-2023-38547 (CVS score 9.9) can be exploited to allow unauthorized users access to the SQL server and Veeam ONE configuration database. CVE-2023-38548 (CVS score 9.8) is a critical flaw which enables unprivileged users access to the Veeam ONE Web Client.

While there have been no reports of active exploitation, organizations have been urged to immediately apply the issued fixes

Impact

CVE-2023-38547 is a critical SQL vulnerability that allows an unauthenticated user to gain information about the SQL server connection used to access the configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database.   

CVE-2023-38548 is a critical vulnerability that allows an unprivileged user with access to the Veeam ONE Web Client the ability to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service. 

CVE-2023-38549 is a cross-site scripting vulnerability (listed as medium severity) which allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role through the use of XSS. 

Note: The criticality of this vulnerability is reduced as it requires interaction by a user with the Veeam ONE Administrator role. 

CVE-2023-41723 is a medium severity vulnerability that allows a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule. 

Note: The criticality of this vulnerability is reduced because the user with the Read-Only role is only able to view the schedule and cannot make changes. 

Applicable Versions

Affected VersionUpdated Version
Veeam ONE 12 P20230314 12.0.1.2591 
Veeam ONE 11a  11.0.1.1880 
Veeam ONE 11 11.0.0.1379

Mitigations and Workarounds

Veeam suggests applying the hotfixes listed above to limit impact of these vulnerabilities for affected versions. More details will be shared as they become available. 

Best Practices

It is recommended that the users of the Veeam ONE versions above apply the patches for their respective products immediately. Additionally, keep an eye on your systems for any signs of suspicious activity. While this vulnerability has not been exploited in the wild, it could be leveraged for malicious attacks. 

Netsurion Detection and Response

We will update our vulnerability signatures in Netsurion’s vulnerability management system, as they become available, for customers who have subscribed to Netsurion Vulnerability Management. 

References:

  1. https://www.veeam.com/kb4508 
  2. https://www.scmagazine.com/brief/veeam-one-vulnerabilities-addressed 
  3. https://www.cvedetails.com/vulnerability-list/vendor_id-15994/Veeam.html 
Cybersecurity Updates
Latest Advisory Alerts

Palo Alto PAN-OS Command Injection Vulnerability

D-Link NAS Command Injection Vulnerability

VMware ESXi, Workstation, and Fusion Vulnerabilities

Latest Data Source Integrations

AWS Key Management Service (KMS)

Have I Been Pwned

SentinelOne

Latest Enhancements

Netsurion Open XDR Now Supports PCI DSS 4.0

Extended Data Source Integrations and Alerts Released for Essentials

Enriched Application Control in Open XDR 9.4