Veeam has published a critical advisory regarding severe vulnerabilities affecting its Veeam Service Provider Console (VSPC), particularly impacting version 8.1.0.21377 and earlier builds from version 7.
These Veeam vulnerabilities, identified as CVE-2024-42448 and CVE-2024-42449, expose service providers to online security risks. These vulnerabilities in Veeam are especially concerning due to their potential to compromise system integrity, data confidentiality, and network security.
Overview of the Veeam Vulnerabilities
The Veeam vulnerabilities, disclosed as part of Veeam’s December 2024 updates, have been classified with high severity levels, with CVE-2024-42448 rated as critical, and CVE-2024-42449 deemed high in severity.
Both vulnerabilities exist due to flaws within the Veeam Service Provider Console 8.1 and affect all builds of version 8.1 and prior, including earlier builds from version 7.
These vulnerabilities impact the management agent machines authorized on the VSPC server, which means that an attacker with control over a management agent could exploit these vulnerabilities to access or manipulate the server.
CVE-2024-42448: Remote Code Execution (RCE)
The first Veeam vulnerability, CVE-2024-42448, allows for Remote Code Execution (RCE). This occurs when an attacker gains access to a VSPC management agent machine that is authorized on the server. Once this condition is met, an attacker can execute arbitrary code remotely on the VSPC server machine.
This critical flaw has been assigned a CVSS v3.1 score of 9.9—the highest possible severity rating—due to its potential to completely compromise a system. Internal testing discovered this flaw, highlighting the risk that it poses to organizations relying on the Veeam Service Provider Console for backup management.
CVE-2024-42449: NTLM Hash Leak and File Deletion
CVE-2024-42449 presents another serious security risk, allowing attackers to exploit the management agent machine to leak an NTLM hash of the VSPC server’s service account. Additionally, this vulnerability allows attackers to delete files on the VSPC server machine.
Although not as severe as RCE, this flaw still represents a high risk, with a CVSS v3.1 score of 7.1. By gaining access to NTLM hashes, attackers could potentially escalate their privileges within the system, leading to further data breaches or malicious actions.
Updates and Patches
Veeam responded to the vulnerabilities by releasing a critical patch to mitigate these issues. Service providers using Veeam Service Provider Console version 8.1 are encouraged to update to the latest available build, 8.1.0.21999, which addresses both CVE-2024-42448 and CVE-2024-42449. It is important to note that no mitigations are available for these vulnerabilities besides upgrading to the patched version. Thus, users of affected versions are strongly urged to install the cumulative update as soon as possible.
The critical update was published on December 3, 2024, with the patch applied in Veeam Service Provider Console 8.1.0.21999. Service providers using earlier versions (including builds from version 7) are advised to upgrade to the latest version to safeguard their systems.
The Veeam Service Provider Console vulnerabilities impact version 8.1.0.21377 and all prior versions in the 8.x and 7.x series. However, Veeam notes that if private fixes were applied to any of these versions, the build number may exceed the general availability (GA) version. In such cases, any deployed build lower than the solution build number (8.1.0.21999) should be considered vulnerable.
For Veeam users who have not yet updated their systems, this is a critical reminder to ensure they are operating on the most recent, secure version of the VSPC. Those who fail to act could leave their systems vulnerable to potential attacks that could lead to data loss or security breaches.
Conclusion
Organizations using Veeam Service Provider Console are strongly advised to upgrade to the latest available build, 8.1.0.21999, to protect themselves from the vulnerabilities CVE-2024-42448 and CVE-2024-42449. These vulnerabilities present serious risks, including the possibility of Remote Code Execution and NTLM hash leaks, which could lead to further data loss, system compromises, and escalating attacks.
As with any security vulnerability, timely patching is the best defense against potential exploits. Service providers and users of the affected Veeam versions should not delay the update process.
