CVE-2023-38547 & CVE-2023-38548: Two Critical Vulnerabilities in Veeam ONE

Share :

On 6 November 2023, Veeam published security hotfixes for two critical-severity vulnerabilities impacting Veeam ONE.  

  • CVE-2023-38547 (CVSS 9.9) could allow an unauthenticated threat actor to obtain information about the SQL server connection used by Veeam ONE to access its configuration database, which in turn could lead to remote code execution (RCE) on the SQL server hosting the product.  
  • CVE-2023-38548 (CVSS 9.8) could allow a threat actor to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service.  

At this time, Arctic Wolf has not identified active exploitation of either vulnerability, nor a published proof of concept (PoC) exploit. Although threat actors have not historically targeted Veeam ONE products, obtaining RCE on the monitoring and analytics platform will likely increase the potential for threat actors to create a working PoC exploit and attempt exploitation. In 2023, multiple threat actors, including FIN7 and the Cuba ransomware group, targeted RCE vulnerabilities in Veeam’s Backup and Replication product to further compromise victim organisations.  

Recommendations for CVE-2023-38547 & CVE-2023-38548

Apply Applicable Security Hotfixes to Vulnerable Versions of Veeam ONE  

Arctic Wolf strongly recommends applying the latest security hotfixes to affected Veeam ONE products. Full instructions are available in the Veeam Advisory located here: https://www.veeam.com/kb4508  

Veeam performed vulnerability testing against actively supported versions only.  

  

Product 

 

Affected Version 

 

CVE 

 

Fixed Version 

 

Veeam ONE  11  CVE-2023-38547  Veeam ONE 11 (11.0.0.1379) 
11a  CVE-2023-38547  Veeam ONE 11a (11.0.1.1880) 
12  CVE-2023-38547, CVE-2023-38548  Veeam ONE 12 P20230314 (12.0.1.2591) 

 

Note: The hotfix for 12.0.1.2591 is not compatible with Veaam ONE 12 GA (build 12.0.0.2498) and will cause the Veeam ONE Reporting Service to not start. Organizations must update to 12.0.1.2591 before applying the hotfix  

Please follow your organisation’s patching and testing guidelines to avoid any operational impact.  

References 

  1. Veeam Advisory
  2. Exploitation of Veeam Backup and Replication  
  3. Cuba Ransomware Deploys New Tools: BlackBerry Discovers Targets Including Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America  

 

Steven Campbell

Steven Campbell

Steven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents
Categories