Veeam warns of critical bugs in Veeam ONE monitoring platform

Veeam released hotfixes today to address four vulnerabilities in the company's Veeam ONE IT infrastructure monitoring and analytics platform, two of them critical.

The company assigned almost maximum severity ratings (9.8 and 9.9/10 CVSS base scores) to the critical security flaws since they let attackers gain remote code execution (RCE) and steal NTLM hashes from vulnerable servers. The remaining two are medium-severity bugs that require user interaction or have limited impact.

"A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database," an advisory published today says about the bug tracked as CVE-2023-38547.

"A vulnerability in Veeam ONE allows an unprivileged user who has access to the Veeam ONE Web Client the ability to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service," the company says when describing the second critical vulnerability (CVE-2023-38548) patched today.

Veeam also fixed a security flaw tracked as CVE-2023-38549 that could let attackers with Power User roles steal the access token of an admin in a Cross-Site Scripting (XSS) attack, which requires user interaction from someone with the Veeam ONE Administrator role.

CVE-2023-41723, the fourth vulnerability addressed today, can be exploited by malicious actors with the Read-Only User role to access the Dashboard Schedule (the attacker can't make changes).

These flaws impact actively supported Veeam ONE versions up to the latest release, and the company has released the following hotfixes to patch them (download links are available in this security advisory):

• Veeam ONE 12 P20230314 (12.0.1.2591)
• Veeam ONE 11a (11.0.1.1880)
• Veeam ONE 11 (11.0.0.1379)

Admins must stop the Veeam ONE monitoring and reporting services on impacted servers, replace the files on the disk with the files in the hotfix, and restart the services to deploy the hotfixes.

In March, Veeam also fixed a high-severity Backup Service vulnerability (CVE-2023-27532) in the Backup & Replication software that can be used to breach backup infrastructure hosts.

This flaw was later targeted in attacks linked to the financially motivated FIN7 threat group, known for its connections with multiple ransomware operations, including the Conti syndicate, REvil, Maze, Egregor, and BlackBasta.

Months later, the Cuba ransomware gang exploited the bug to target critical infrastructure organizations in the United States and IT firms in Latin America.

Veeam says its software is used by more than 450,000 customers globally, encompassing 82% of Fortune 500 companies and 72% of those listed in the Global 2,000 annual ranking.