- 325/2024
- Critical
Veeam has released security updates to fix several vulnerabilities affecting multiple Veeam products.
The addressed vulnerabilities could allow the attacker to perform denial of service attacks, gain elevated privileges, conduct DLL injection attacks, obtain sensitive information, manipulate data or execute arbitrary code, and gain access to the affected systems.
Sample of the addressed vulnerabilities:
1. Veeam Backup & Replication Denial of Service Vulnerability (CVE-2024- 42453):
- CVSS: 8.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Denial of Service
2. Veeam Backup & Replication Privilege Escalation Vulnerability (CVE-2024- 42456):
- CVSS: 8.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Privileges
The affected products:
- Veeam Backup & Replication versions 12, 12.1 and 12.2.
- Veeam Agent for Microsoft Windows versions 6.0, 6.1 and 6.2.
- Veeam Service Provider Console version 8.1.
Vulnerabilities
- CVE-2024-42448
- CVE-2024-42449
- CVE-2024-40717
- CVE-2024-42451
- CVE-2024-42452
- CVE-2024-42453
- CVE-2024-42455
- CVE-2024-42456
- CVE-2024-42457
- CVE-2024-45204
- CVE-2024-45207
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.