Veeam has released security updates to address four flaws in its ONE IT monitoring and analytics platform, two of which are rated critical in severity.
The list of vulnerabilities is as follows -
- CVE-2023-38547 (CVSS score: 9.9) - An unspecified flaw that can be leveraged by an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database, resulting in remote code execution on the SQL server.
- CVE-2023-38548 (CVSS score: 9.8) - A flaw in Veeam ONE that allows an unprivileged user with access to the Veeam ONE Web Client to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service.
- CVE-2023-38549 (CVSS score: 4.5) - A cross-site scripting (XSS) vulnerability that allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role.
- CVE-2023-41723 (CVSS score: 4.3) - A vulnerability in Veeam ONE that permits a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule.
While CVE-2023-38547, CVE-2023-38548, and CVE-2023-41723 impact Veeam ONE versions 11, 11a, 12, CVE-2023-38548 affects only Veeam ONE 12. Fixes for the issues are available in the below versions -
- Veeam ONE 11 (11.0.0.1379)
- Veeam ONE 11a (11.0.1.1880)
- Veeam ONE 12 P20230314 (12.0.1.2591)
Over the past few months, critical flaws in the Veeam backup software have been exploited by multiple threat actors, including FIN7 and BlackCat ransomware, to distribute malware.
Users running the affected versions are recommended to stop the Veeam ONE Monitoring and Reporting services, replace the existing files with the files provided in the hotfix, and restart the two services.