Several serious security flaws have been found in the Veeam ONE platform for analytics and IT infrastructure monitoring. These vulnerabilities may result in data breaches, illegal access, and NTLM hash theft. To fix these problems, Veeam has published security patches and issued a warning. Read this Cybersecurity Threat Advisory on recommendations to mitigate risks and protect Veeam environments.
What is the threat?
Multiple vulnerabilities have been found in Veeam ONE, an IT infrastructure monitoring and analytics platform. CVE-2023-38547, CVE-2023-38548, and CVE-2023-41723 affect Veeam ONE versions 11, 11a, and 12. CVE-2023-38549 affects only Veeam ONE 12.
The initial two vulnerabilities, CVE-2023-38547 and CVE-2023-38548, are rated critical. CVE-2023-38547 can permit an unauthenticated user to access Veeam ONE’s configuration database’s SQL server connection information, potentially leading to remote code execution on the SQL server. CVE-2023-38548 enables unprivileged Veeam ONE Web Client users to obtain the access token of a Veeam ONE Administrator. These weaknesses might permit aggressors to take NTLM hashes and exploit other security shortcomings. Veeam has recognized these issues and delivered security updates to address the weaknesses. Veeam ONE clients are encouraged to apply these updates to moderate the dangers related to these basic imperfections. For more point-by-point data and explicit alleviation steps please follow mitigation steps.
Why is it noteworthy?
The possibility for malevolent actors such as FIN7 and BlackCat ransomware groups to exploit these Veeam ONE weaknesses with SQL server connections poses serious risks for Veeam ONE clients. Unauthorized access, data breaches, and the theft of NTLM hashes—which are frequently used in Windows authentication—can result from these vulnerabilities. Additionally, the availability, confidentiality, integrity of sensitive data, as well as IT systems may also be impacted if these vulnerabilities were exploited.
What is the exposure or risk?
These vulnerabilities come with significant risk and exposure. Attackers may be able to obtain sensitive data exfiltration, compromise vital systems, and obtain unauthorized access to an organization’s IT infrastructure if they are successful in their exploit. The effect of a breach may increase if NTLM hashes are stolen since they may allow for more exploitation and lateral movement throughout the network. A successful attack may result in reputational harm as well as monetary losses.
What are the recommendations?
Barracuda MSP recommends the following actions to protect your environment against these vulnerabilities:
- Quickly apply the security updates given by Veeam to address the distinguished weaknesses.
- Veeam ONE 11 (22.214.171.1249)
- Veeam ONE 11a (126.96.36.1990)
- Veeam ONE 12 P20230314 (188.8.131.5291)
- Administrators should take the following actions to apply the hotfixes:
- Halt the Veeam ONE Monitoring and Reporting services on affected servers.
- Replace the current files on the server with those supplied in the hotfix.
- Restart the Veeam ONE Monitoring and Reporting services to implement the hotfixes.
- Routinely update Veeam ONE to the most recent version for ongoing protection against future vulnerabilities.
- Change Passwords and Reset NTLM Hashes: Change passwords for accounts that might have been uncovered and consider resetting NTLM hashes to forestall further abuse of compromised accreditations.
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.