Executive summary

Veeam has released patches to fix four vulnerabilities including two critical rated vulnerabilities. If exploited the critical vulnerabilities could allow an unauthenticated attacker to steal NTLM hashes to accounts and perform remote code execution on their server hosting the product database.

What’s the risk to me or my business?

There is a risk that organisations with vulnerable products are leaving themselves at risk of allowing an attacker to perform remote code execution and stealing NTLM Hashes. This allows an attacker to log in as the stolen users credentials and perform remote code execution impacting the confidentiality, integrity and availability of data.

The following products affected:

·       Veeam ONE 11 – this is fixed in version (11.0.0.1379)

·       Veeam ONE 11a – this is fixed in version (11.0.1.1880)

·       Veeam ONE 12 – this is fixed in version (12.0.1.2591)

What can I do?

Black Arrow recommends applying the patches for the vulnerabilities immediately due to the severity of the vulnerability; there is no workaround available. Further information can be found in the Veeam security update below.

Technical Summary

CVE-2023-38547 – If exploited this allows an unauthenticated attacker to gain information from the SQL server to access its configuration database. This can lead to an attacker to perform remote code execution.

CVE-2023-38548 – If exploited this allows an unprivileged user who has access to the Veeam One Web client to acquire NTLM hash of the account user, allowing them to obtain the users password.

Further information can be found here: https://www.veeam.com/kb4508  

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity