Get a demo
Voyager18 (research)

How to fix CVE-2023-38547 in Veeam

CVE-2023-38547 is a critical RCE vulnerability found in Veeam ONE. Learn more about who it affects, and how to fix it.

Yair Divinsky | November 13, 2023

Veeam has warned of critical vulnerabilities in its Veeam ONE monitoring platform, including critical RCE vulnerability CVE-2023-38547 

Here’s everything you need to know:

CVE-2023-38547 at a glance

CISA deadline: 

None 

Type: 

Remote Code Execution 

Impact: 

Confidentiality, Integrity, Availability 

Platforms: 

Veeam ONE: 

12 P20230314 (12.0.1.2591), 

11a (11.0.1.1880), 

11 (11.0.0.1379) 

Wild Exploit: 

No 

Remediation action: 

Patch installations ASAP: Apply Veeam necessary hotfixes 

What is CVE-2023-38547?

CVE-2023-38547, within Veeam ONE, exposes the risk of an unauthenticated user obtaining information regarding the SQL server connection used by Veeam ONE to access its configuration database. This vulnerability has the potential to result in remote code execution (RCE) on the SQL server hosting the Veeam ONE configuration database, as indicated in a recently published advisory addressing multiple vulnerabilities.

The company has assigned almost maximum severity ratings, scoring 9.9 on the CVSS base scale, to these critical security flaws. These vulnerabilities enable attackers to achieve remote code execution (RCE) and extract NTLM hashes from vulnerable servers. The other two vulnerabilities in Veeam’s advisory are of medium severity, either requiring user interaction or having limited impact. 

Does CVE-2023-38547 affect me?

CVE-2023-38547 affects actively supported versions of Veeam ONE, including the latest release. The company has addressed these issues by releasing the following hotfixes, and download links can be found in the security advisory:

Veeam ONE 12 P20230314 (12.0.1.2591)

Veeam ONE 11a (11.0.1.1880)

Veeam ONE 11 (11.0.0.1379)

 

 

Has CVE-2023-38547 been actively exploited in the wild? 

Over recent months, critical flaws in Veeam’s backup software have been exploited by various threat actors, including FIN7 and BlackCat ransomware, to distribute malware. While Veeam makes no mention of any of CVE-2023-38547 vulnerability being exploited in the wild, attackers are known to have targeted flaws in its backup solutions. 

In March, Veeam also addressed a significant Backup Service vulnerability (CVE-2023-27532) in the Backup & Replication software, posing a potential threat to the security of backup infrastructure hosts. This particular flaw became the target of attacks associated with the financially motivated FIN7 threat group. Known for its ties to various ransomware operations, including the Conti syndicate, REvil, Maze, Egregor, and BlackBasta, FIN7 exploited this vulnerability to compromise backup infrastructure hosts. 

How to fix CVE-2023-38547 

To apply the hotfixes, administrators are required to halt the Veeam ONE monitoring and reporting services on affected servers, replace the files on the disk with those provided in the hotfix, and then restart the services. In its advisory, Veeam includes the necessary hotfixes, and users are advised to patch their installations as soon as possible. 

Next steps

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. Announcing the Attack Path Graph for end-to-end risk prioritization
  2. Can you trust ChatGPT’s package recommendations?
  3. MITRE ATTACK framework – Mapping techniques to CVEs  
  4. Exploit maturity: an introduction  
  5. IBM’s Cost of a Data Breach report 2023 – what we learned

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy

strip-img-2.png

Get rid of silos;

Start owning exposure risk

Test drive the leader in exposure risk management