This advisory is for organizations that use Veeam ONE to monitor virtual infrastructure, backup infrastructure, and data protection environments. If your organization does not use this platform, this notification may be discarded.
Summary
Veeam has released hotfixes to address four vulnerabilities, two of them critical, present in the Veeam ONE platform. The first critical vulnerability may allow an unauthenticated user to gain information about the SQL server connection that Veeam ONE uses to access its configuration data base, introducing the potential for an attacker to perform remote code execution on the SQL server hosting the database.
The second critical vulnerability may be leveraged to leak the NTLM hash of the account used by the Veeam ONE Reporting Services to an unprivileged user with access to the UI.
CVE-2023-38547 – This unspecified flaw could be exploited by an unauthenticated user to gain information about the SQL server connection used by Veeam ONE to access its configuration database.
CVSSv3: 9.9
CVE-2023-38548 – Vulnerability that could allow an unprivileged user with access to the Veeam ONE Web Client to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service.
CVSSv3: 9.8
Affected Products/Versions
Veeam ONE 11, 11a, 12
Mitigations
A Hotfix to resolve these vulnerabilities is available for:
- Veeam ONE 12 P20230314 (12.0.1.2591)
- Veeam ONE 11a (11.0.1.1880)
- Veeam ONE 11 (11.0.0.1379)
To apply the hotfix, admins must stop the Veeam ONE monitoring and reporting services on impacted servers, replace the files on the disk with the files provided by the hotfix, and restart the services to deploy the fixes.
Hotfixes: https://www.veeam.com/kb4508#:~:text=Download%20Hotfix%20That%20Matches%20Installed%20Build%20Number
Additional Resources
https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-bugs-in-veeam-one-monitoring-platform/
https://www.veeam.com/kb4508
