Veeam has warned of critical vulnerabilities in its Veeam ONE monitoring platform, including critical RCE vulnerability CVE-2023-38547
Here’s everything you need to know:
CVE-2023-38547 at a glance
| CISA deadline: | None |
| Type: | Remote Code Execution |
| Impact: | Confidentiality, Integrity, Availability |
| Platforms: | Veeam ONE: 12 P20230314 (12.0.1.2591), 11a (11.0.1.1880), 11 (11.0.0.1379) |
| Wild Exploit: | No |
| Remediation action: | Patch installations ASAP: Apply Veeam necessary hotfixes |
What is CVE-2023-38547?
CVE-2023-38547, within Veeam ONE, exposes the risk of an unauthenticated user obtaining information regarding the SQL server connection used by Veeam ONE to access its configuration database. This vulnerability has the potential to result in remote code execution (RCE) on the SQL server hosting the Veeam ONE configuration database, as indicated in a recently published advisory addressing multiple vulnerabilities.
The company has assigned almost maximum severity ratings, scoring 9.9 on the CVSS base scale, to these critical security flaws. These vulnerabilities enable attackers to achieve remote code execution (RCE) and extract NTLM hashes from vulnerable servers. The other two vulnerabilities in Veeam’s advisory are of medium severity, either requiring user interaction or having limited impact.
Does CVE-2023-38547 affect me?
CVE-2023-38547 affects actively supported versions of Veeam ONE, including the latest release. The company has addressed these issues by releasing the following hotfixes, and download links can be found in the security advisory:
Veeam ONE 12 P20230314 (12.0.1.2591)
Veeam ONE 11a (11.0.1.1880)
Veeam ONE 11 (11.0.0.1379)
Has CVE-2023-38547 been actively exploited in the wild?
Over recent months, critical flaws in Veeam’s backup software have been exploited by various threat actors, including FIN7 and BlackCat ransomware, to distribute malware. While Veeam makes no mention of any of CVE-2023-38547 vulnerability being exploited in the wild, attackers are known to have targeted flaws in its backup solutions.
In March, Veeam also addressed a significant Backup Service vulnerability (CVE-2023-27532) in the Backup & Replication software, posing a potential threat to the security of backup infrastructure hosts. This particular flaw became the target of attacks associated with the financially motivated FIN7 threat group. Known for its ties to various ransomware operations, including the Conti syndicate, REvil, Maze, Egregor, and BlackBasta, FIN7 exploited this vulnerability to compromise backup infrastructure hosts.
How to fix CVE-2023-38547
To apply the hotfixes, administrators are required to halt the Veeam ONE monitoring and reporting services on affected servers, replace the files on the disk with those provided in the hotfix, and then restart the services. In its advisory, Veeam includes the necessary hotfixes, and users are advised to patch their installations as soon as possible.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
