URL has been copied successfully!
Veeam issues patch for critical RCE bug
URL has been copied successfully!

Collecting Cyber-News from over 60 sources

Veeam is warning its customers of two vulnerabilities, of which one is a critical RCE bug, affecting the Service Provider Console (VSPC), a web-based management platform for managed service providers (MSPs).On Tuesday, the data protection and backup solutions provider that powers IT systems availability for leading brands like Cisco, Lenovo, and NASA, issued an advisory stating the exploitation of the bugs is possible only under certain circumstances.While an update with the necessary patches has been released, there is presently no mitigation available for flawed instances. The first flaw fixed in the said update tracked as CVE-2024-42448, is a critical remote code execution (RCE) bug that could allow threat actors to execute arbitrary code on unpatched VSPC server machines.”From the VSPC management agent machine, under the condition that the management agent is authorized on the server, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine,” Veeam said.The vulnerability, which was reportedly discovered during Veeam’s internal testing, has received a critical rating with a CVSS score of 9.9/10.A quick scan on the popular leak search platform LeakIX, at the time of publishing this article, revealed over a million (1186722) potentially affected VSPC instances on the internet, with about half of them in the US and Germany alone.The vulnerability affects VSPC versions 8.1.0.21377 and earlier (8 and & builds), and has been fixed within the 8.1.0.21999 update. “Unsupported product versions are not tested, but are likely affected and should be considered vulnerable,” the company wrote.

Another high-severity bug found

Along with the critical RCE bug, Veeam issued alerts for another high-severity flaw, tracked as CVE-2024-42449, which allowed attackers to perform unauthorized deletion of VSPC server files.”From the VSPC management agent machine, under the condition that the management agent is authorized on the server, it is possible to leak an NTLM hash of the VSPC server service account and delete files on the VSPC server machine,” Veeam said.The flaw which received a 7.1/10 CVSS score was fixed in the same update and, like the RCE bug, was reported not to be affecting any other Veeam products such as Veeam Backup and Replication (VBR), Veeam Agent for Microsoft Windows and Veeam ONE. Another critical RCE flaw affecting Veeam’s VBR, tracked as CVE-2024-40711,  was disclosed earlier in September and was later reported as being exploited as one of Akira and Fog ransomware N-day infections.

First seen on csoonline.com

Jump to article: www.csoonline.com/article/3617081/veeam-issues-patch-for-critical-rce-bug.html

Loading

Share via Email
Share on Facebook
Tweet on X (Twitter)
Share on Whatsapp
Share on LinkedIn
Share on Xing
Copy link