ºÚÁÏÉç

On November 6, 2023, Veeam published security hotfixes for two critical-severity vulnerabilities impacting Veeam ONE.??

• CVE-2023-38547 (CVSS 9.9) could allow an unauthenticated threat actor to obtain information about the SQL server connection used by Veeam ONE to access its configuration database, which in turn could lead to remote code execution (RCE) on the SQL server hosting the product.??
• CVE-2023-38548 (CVSS 9.8) could allow a threat actor to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service.??

At this time, Arctic Wolf has not identified active exploitation of either vulnerability, nor a published proof of concept (PoC) exploit. Although threat actors have not historically targeted Veeam ONE products, obtaining RCE on the monitoring and analytics platform will likely increase the potential for threat actors to create a working PoC exploit and attempt exploitation. In 2023, multiple threat actors, including FIN7 and the Cuba ransomware group, targeted RCE vulnerabilities in Veeam¡¯s Backup and Replication product to further compromise victim organizations.??

Recommendations for CVE-2023-38547 & CVE-2023-38548

Apply Applicable Security Hotfixes to Vulnerable Versions of Veeam ONE??

Arctic Wolf strongly recommends applying the latest security hotfixes to affected Veeam ONE products. Full instructions are available in the Veeam Advisory located here: ??

Veeam performed vulnerability testing against actively supported versions only.??

??

?

Note: The hotfix for 12.0.1.2591 is not compatible with Veaam ONE 12 GA (build 12.0.0.2498) and will cause the Veeam ONE Reporting Service to not start. Organizations must update to 12.0.1.2591 before applying the hotfix??

Please follow your organization’s patching and testing guidelines to avoid any operational impact.??

References?

2. Exploitation of Veeam Backup and Replication ?
3. ??

?