Veeam, a prominent provider of data protection and backup solutions, recently released a comprehensive Security Bulletin highlighting critical vulnerabilities across several of its products. The bulletin, labeled as KB ID: 4649, encompasses updates for Veeam Backup & Replication, Veeam ONE, Veeam Service Provider Console, Veeam Agent for Linux, Veeam Backup for Nutanix AHV, and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization.
The disclosed security issues underscore various high-severity vulnerabilities that could potentially compromise the security and functionality of Veeam’s offerings. This article aims to shed light on the details of these updates provided by the Veeam security bulletin.
In the realm of Veeam Backup & Replication, version 12.1.2.172 and prior versions have been identified with multiple vulnerabilities, including critical ones such as CVE-2024-40711, allowing unauthenticated remote code execution (RCE). The resolution for these issues is integrated into Veeam Backup & Replication version 12.2 (build 12.2.0.334).
Moving on to Veeam Agent for Linux, versions 6.1.2.178 and earlier are susceptible to a significant vulnerability, CVE-2024-40709, enabling local privilege escalation to the root level. This concern is addressed in Veeam Agent for Linux version 6.2 (build 6.2.0.101), which comes bundled with Veeam Backup & Replication 12.2.
The Veeam ONE platform, in versions 12.1.0.3208 and prior, has been impacted by several vulnerabilities with varying severity levels. These include CVE-2024-42024, allowing remote code execution on the Veeam ONE Agent machine, and additional vulnerabilities like CVE-2024-42019, CVE-2024-42023, CVE-2024-42021, CVE-2024-42022, and CVE-2024-42020. The fixes for these vulnerabilities are encompassed in Veeam ONE version 12.2 (build 12.2.0.4093).
Furthermore, the Veeam Service Provider Console (VSPC) has identified vulnerabilities in versions 8.0.0.19552 and earlier, such as CVE-2024-38650 and CVE-2024-39714, both allowing low-privileged attackers to exploit certain weaknesses. These fixes are packaged in Veeam Service Provider Console version 8.1 (build 8.1.0.21377).
Lastly, Veeam Backup for Nutanix AHV Plug-In and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In have also encountered vulnerabilities that are mitigated in the respective updated versions.
In conclusion, this detailed Security Bulletin from Veeam emphasizes the critical importance of staying up to date with software patches and security measures to safeguard against potential threats. Users are strongly advised to upgrade to the latest versions of Veeam products to ensure optimal protection and data integrity in the face of evolving cybersecurity challenges. Adequate attention to regular updates and robust security protocols is essential in maintaining the resilience of data protection solutions in the ever-evolving digital landscape.