Published: November 21, 2023
Overview
The backup and disaster recovery company, Veeam, has disclosed multiple vulnerabilities within their enterprise backup product, Veeam ONE. Several of these vulnerabilities have been listed as critical with CVSS scores of 9 or above. CVE-2023-38547 (CVS score 9.9) can be exploited to allow unauthorized users access to the SQL server and Veeam ONE configuration database. CVE-2023-38548 (CVS score 9.8) is a critical flaw which enables unprivileged users access to the Veeam ONE Web Client.
While there have been no reports of active exploitation, organizations have been urged to immediately apply the issued fixes
Impact
CVE-2023-38547 is a critical SQL vulnerability that allows an unauthenticated user to gain information about the SQL server connection used to access the configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database.
CVE-2023-38548 is a critical vulnerability that allows an unprivileged user with access to the Veeam ONE Web Client the ability to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service.
CVE-2023-38549 is a cross-site scripting vulnerability (listed as medium severity) which allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role through the use of XSS.
Note: The criticality of this vulnerability is reduced as it requires interaction by a user with the Veeam ONE Administrator role.
CVE-2023-41723 is a medium severity vulnerability that allows a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule.
Note: The criticality of this vulnerability is reduced because the user with the Read-Only role is only able to view the schedule and cannot make changes.
Applicable Versions
Affected Version | Updated Version |
---|---|
Veeam ONE 12 P20230314 | 12.0.1.2591 |
Veeam ONE 11a | 11.0.1.1880 |
Veeam ONE 11 | 11.0.0.1379 |
Mitigations and Workarounds
Veeam suggests applying the hotfixes listed above to limit impact of these vulnerabilities for affected versions. More details will be shared as they become available.
Best Practices
It is recommended that the users of the Veeam ONE versions above apply the patches for their respective products immediately. Additionally, keep an eye on your systems for any signs of suspicious activity. While this vulnerability has not been exploited in the wild, it could be leveraged for malicious attacks.
Netsurion Detection and Response
We will update our vulnerability signatures in Netsurion’s vulnerability management system, as they become available, for customers who have subscribed to Netsurion Vulnerability Management.
References: