In the latest security updates, Veeam, the expert in data resiliency, has successfully identified and promptly resolved critical vulnerabilities within its renowned IT monitoring and analytics platform, Veeam ONE. These vulnerabilities pose significant risks, including the potential for remote code execution and the theft of NTLM hashes. It is crucial for users to take immediate action to protect their systems.

Here is an overview of the vulnerabilities that have been identified. Two of them have been given a critical rating with high CVSS scores:

1. CVE-2023-38547 (CVSS score: 9.9): This flaw, although unspecified, allows an unauthenticated user to extract information about the SQL server connection used by Veeam ONE. This could potentially lead to remote code execution on the SQL server that hosts the Veeam ONE configuration database.

2. CVE-2023-38548 (CVSS score: 9.8): This vulnerability enables an unprivileged user with access to the Veeam ONE Web Client to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service.

Additionally, there are two other vulnerabilities:

3. CVE-2023-38549 (CVSS score: 4.5): This Cross-Site Scripting (XSS) vulnerability allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role.

4. CVE-2023-41723 (CVSS score: 4.3): This vulnerability allows a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule

It is essential for users to address these vulnerabilities promptly to ensure the security of their systems.

Impacted Versions and Patches:

The vulnerabilities impact actively supported versions of Veeam ONE, specifically versions 11, 11a, and 12. Veeam has promptly addressed this issue by releasing hotfixes for these versions. It is strongly advised that administrators apply these patches without delay.

Veeam ONE 11 (11.0.0.1379)
Veeam ONE 11a (11.0.1.1880)
Veeam ONE 12 P20230314 (12.0.1.2591)

Mitigation Steps:

To effectively safeguard systems, administrators are recommended to follow the steps outlined below:

1. Stop the Veeam ONE Monitoring and Reporting services on the affected servers.
2. Replace the existing files with the ones provided in the hotfix.
3. Restart the Veeam ONE Monitoring and Reporting services to deploy the hotfixes.

In addition to applying the immediate hotfixes, it is crucial for organizations to proactively enhance their cybersecurity efforts. Regularly updating Veeam ONE to the latest available version is highly recommended to strengthen defenses against potential future vulnerabilities.

Background and Threat Landscape:

In recent months, threat actors, including notable groups like FIN7 and BlackCat ransomware, have exploited critical vulnerabilities in Veeam software to distribute malware. The widespread usage of Veeam ONE, including by Fortune 500 companies and organizations in the Global 2,000 annual ranking, highlights the urgency of addressing these vulnerabilities promptly.

As part of ongoing security measures, Security Operations Center (SOC) teams, such as those at OBRELA, continue to monitor and remain vigilant against potential exploitation attempts within their clients’ infrastructure.

In conclusion, the discovery and swift response to these critical vulnerabilities underscore the importance of proactive cybersecurity practices. Organizations utilizing Veeam ONE are strongly urged to apply the patches immediately and maintain a vigilant approach to safeguarding their IT infrastructure against evolving security threats.