On November 6, 2023, Veeam published security hotfixes for two critical-severity vulnerabilities impacting Veeam ONE.
- CVE-2023-38547 (CVSS 9.9) could allow an unauthenticated threat actor to obtain information about the SQL server connection used by Veeam ONE to access its configuration database, which in turn could lead to remote code execution (RCE) on the SQL server hosting the product.
- CVE-2023-38548 (CVSS 9.8) could allow a threat actor to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service.
At this time, Arctic Wolf has not identified active exploitation of either vulnerability, nor a published proof of concept (PoC) exploit. Although threat actors have not historically targeted Veeam ONE products, obtaining RCE on the monitoring and analytics platform will likely increase the potential for threat actors to create a working PoC exploit and attempt exploitation. In 2023, multiple threat actors, including FIN7 and the Cuba ransomware group, targeted RCE vulnerabilities in Veeam’s Backup and Replication product to further compromise victim organizations.
Recommendations for CVE-2023-38547 & CVE-2023-38548
Apply Applicable Security Hotfixes to Vulnerable Versions of Veeam ONE
Arctic Wolf strongly recommends applying the latest security hotfixes to affected Veeam ONE products. Full instructions are available in the Veeam Advisory located here: https://www.veeam.com/kb4508
Veeam performed vulnerability testing against actively supported versions only.
|Veeam ONE||11||CVE-2023-38547||Veeam ONE 11 (220.127.116.119)|
|11a||CVE-2023-38547||Veeam ONE 11a (18.104.22.1680)|
|12||CVE-2023-38547, CVE-2023-38548||Veeam ONE 12 P20230314 (22.214.171.12491)|
Note: The hotfix for 126.96.36.19991 is not compatible with Veaam ONE 12 GA (build 188.8.131.528) and will cause the Veeam ONE Reporting Service to not start. Organizations must update to 184.108.40.20691 before applying the hotfix
Please follow your organization’s patching and testing guidelines to avoid any operational impact.
- Veeam Advisory
- Exploitation of Veeam Backup and Replication
- Cuba Ransomware Deploys New Tools: BlackBerry Discovers Targets Including Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America