Veeam, a provider of data replication and protection software, released critical security patches to fix severe vulnerabilities affecting its Service Provider Console (VSPC). One of the vulnerabilities is rated as critical (9.9/10 on the CVSS scoring system), and the other has a high severity score. These vulnerabilities have not yet been exploited in the wild, but users should patch or upgrade them immediately to reduce the risk.
Vulnerability Breakdown and Impact
The two vulnerabilities affect the Veeam Service Provider Console 8.1.0.21377 and all earlier versions 8 and 7 builds. The VSPC is a multitenant web-based portal for service providers that allows centralized monitoring and management capabilities for Veeam-protected virtual and public cloud workloads. Both vulnerabilities are associated with the VSPC management agent engine.
The critical severity vulnerability identified as CVE-2024-42448 allows authorized management agents to execute Remote Code Execution (RCE) on VSPC server machines. RCE attacks are extremely dangerous in that they enable an outside source to inject and execute malicious code allowing the threat actor to control systems and potentially take over applications entirely or to launch ransomware attacks. The damage this vulnerability can lead to is explained by Mayuresh Dani, Manager, Security Research, at Qualys Threat Research Unit. “VSPC allows service providers to monitor customer backups, manage recovery operations, and centralize backup management. Successful exploitation on one such server would come with a lot of damage and cause a loss of customer data as it will significantly affect system integrity, availability, and confidentiality, risking customer data and backup-related processes.”
Many major cyberattacks have been enabled by RCE vulnerabilities, including attacks occurring in 2021 that exploited an Apache Log4j vulnerability and the infamous WannaCry ransomware that utilized RCE to impact approximately 150,000 computers and servers.
The other vulnerability announced can result in the leaking of an NTLM hash (a one-way hash derived from a user’s password). This vulnerability, cataloged as CVE-2024-42449, is a high-severity flaw that can cause considerable damage. Veeam specifically stated it can result in the deletion of files on the VSPC server machine. Gaining access to NTLM hashes can be exploited using pass-the-hash (PtH) attacks. Successful execution of PtH attacks can allow entities to gain access and authorization using the password hash without actually knowing a password. This allows system compromise, lateral movement, and data loss. PtH attacks have existed for decades, but one noted use was by the ransomware-as-a-service (RaaS) platform called Hive, which utilized the attack to target a large number of Microsoft’s Exchange Server customers.
Mitigation Steps
These vulnerabilities were discovered by Veeam as part of their Vulnerability Disclosure Program (VDP). There is no indication that these flaws have been exploited in the wild, but following the notification, threat actors will act to weaponize these vulnerabilities to exploit them before customers install the patches. For example, the Sophos X-Ops team tracked active attacks in October 2024 against an RCE vulnerability that was announced in early September 2024.
In the Veeam alert announcement, they encourage service providers using supported versions of Veeam Service Provider Console (versions 7 & 8) to update to the latest cumulative patch and for service providers using unsupported versions to upgrade to the latest version of the VSPC software.
Veeam noted there were no specific alternative mitigation options outside of patching or upgrading to the most recent software version. However until that can be accomplished, organizations can look at mitigation methods available against RCE and PtH attacks. For RCE, some of the defensive options include monitoring network traffic, searching for suspicious behavior, utilizing buffer overflow protection that can terminate a program when a buffer overflow is identified, and sanitizing user input to validate and filter data inputs from users. PtH attacks can be generically defended against using strong password policies, monitoring for unusual authentication activities, and deploying multi-factor authentication.
Lessons for the Future
There are a number of lessons learned from this announcement. The first is it is critical for organizations to have a robust vulnerability disclosure program. Veeam uncovered these vulnerabilities before adversaries. This allowed them to produce patches and notify their customers of the potential threats that could result from the vulnerabilities. Vulnerability disclosure efforts should include penetration testing.
Another lesson is organizations need to create a resilient cybersecurity infrastructure that strengthens defenses against all types of attacks. There are a number of activities that can be taken to mitigate the potential damage caused by types of attacks. Network monitoring, multi-factor authentication, API security, and zero-trust are all capabilities that can help protect against many types of RCE and PtH attacks.
The final lesson is patching vulnerabilities quickly is a top priority. Jason Soroko, a Senior Fellow at Sectigo, emphasizes that security “teams should immediately prioritize applying the security updates provided by Veeam. Delaying this action exposes your infrastructure to potential attacks that could have significant operational and security implications. Therefore, allocating resources to deploy these updates promptly should be considered a top priority.”
