Software company Veeam has released urgent security updates to address two vulnerabilities detected in its Service Provider Console (VSPC), a platform used by service providers to manage and protect customer backups. Among the issues fixed is a critical remote code execution (RCE) vulnerability, rated 9.9 out of 10 on the CVSS scale, which could be exploited on unpatched servers.
Details of the Vulnerabilities
- CVE-2024-42448 (Critical RCE):
This vulnerability allows attackers to execute arbitrary code from the VSPC management agent machine, provided the agent is authorized on the target server. The issue affects all VSPC versions up to 8.1.0.21377, including supported versions 7 and 8. - CVE-2024-42449 (High Severity):
This flaw enables attackers to extract the NTLM hash of the VSPC server service account and delete files on the affected server. Similar to the RCE flaw, it requires the management agent to be authorized on the target server.
Both vulnerabilities were discovered during internal security audits conducted by Veeam’s security team and do not affect other Veeam products, such as Veeam Backup & Replication or Veeam ONE.
Recommended Updates
Veeam has urged users to install the latest updates available for VSPC and migrate to supported versions if using outdated software. Unsupported versions should be considered vulnerable, as they could be exploited following the public disclosure of the vulnerabilities.
“We strongly recommend that service providers update to the latest versions immediately to ensure the security of their systems and their customers’ data,” Veeam stated in its official advisory.
Impact and Exploitation Risks
The company emphasized the importance of applying patches quickly, as attackers often reverse-engineer updates to exploit unpatched systems. Recent incidents, such as the exploitation of an RCE vulnerability in Veeam Backup & Replication (CVE-2024-40711) to deploy Frag, Akira, and Fog ransomware, highlight the risks of failing to update systems.
Veeam, whose products are used by over 550,000 customers worldwide, including 74% of Global 2,000 companies and 82% of Fortune 500 firms, reaffirmed its commitment to security. The company operates a Vulnerability Disclosure Program (VDP) to proactively identify and mitigate risks.
Conclusion
These vulnerabilities underscore the importance of cybersecurity in remote management platforms, particularly in an environment where attacks on critical infrastructure have intensified. Veeam urges users to prioritize installing the available updates to mitigate risks and safeguard their operations from potential exploits.
Source: Veeam y Open Security
