Veeam has released security updates for several of its products as part of a single September 2024 security bulletin that addresses 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One.
The most severe of the problems addressed is CVE-2024-40711, a critical (CVSS v3.1 score: 9.8) remote code execution (RCE) vulnerability on Veeam Backup & Replication (VBR) that can be exploited without authentication.
VBR is used to manage and secure backup infrastructure for enterprises, so it plays a critical role in data protection. As it can serve as a pivot point for lateral movement, it is considered a high-value target for ransomware operators.
Secure-ISS recommends that clients review the Veeam Security Bulletin ASAP and identify affected and vulnerability assets in their environment.
Impacted Versions
- Veeam Backup & Replication 12.1.2.172 and all earlier versions of the 12 branch
Mitigations
For the critical vulnerability in the section above, Veeam has released an upgrade to version 12.2.0.334. Clients with vulnerable assets should upgrade as a priority.
Additional Non-Critical Vulnerabilities
Several other vulnerabilities were addressed in the same Veeam Security Bulletin; however these were not rates as Critical. Efforts should be made however, to address these High rated vulnerabilities as soon as practical.
- Veeam Agent for Linux 6.1.2.1781 and all earlier version 6 builds
- Veeam ONE 12.1.0.3208 and all earlier version 12 builds
- Veeam Service Provider Console 8.0.0.19552 and all earlier version 8 builds
- Veeam Backup for Nutanix AHV Plug-In 12.5.1.8 and all earlier version 12 builds
- Veeam Backup for Oracle Linux Virtualization Manager; and
- Red Hat Virtualization Plug-In 12.4.1.45 and all earlier version 12 builds