Threat update
There were recently six vulnerabilities discovered in Veeam Backup and Replication. One of them is an unauthenticated remote code execution (RCE), while the other five include authenticated RCE, arbitrary file deletion, low-privileged multi-factor authentication (MFA) setting modification and MFA bypass, credential sniffing, and privilege escalation. Review the details in this Cybersecurity Threat Advisory to limit customers' impact.
Technical Detail and Additional Info
What is the threat?
Backup servers are often prime targets of ransomware actors. Sensitive data often lives on it, and backups are key in remediation following a ransomware attack. All the vulnerabilities listed can be used by threat actors to destroy backups and allow them to further compromise the network and allow for easier lateral movement.
The CVEs issued include:
- CVE-2024-39718
- CVE-2024-40710
- CVE-2024-40711
- CVE-2024-40712
- CVE-2024-40713
- CVE-2024-40714
Why is it noteworthy?
Unauthenticated RCE vulnerabilities on a backup solution are extremely risky; backup servers often contain extremely sensitive data, and the availability of the data is critical in recovering from cyberattacks like ransomware. These vulnerabilities are very valuable to ransomware actors, and these types of vulnerabilities are perfect for a ransomware actor who is planning on exfiltrating data or destroying backups.
What is the exposure or risk?
Focusing on the highest severity vulnerability, unauthenticated RCE, the exposure is based on how accessible the Veeam backup and response server is. Further, this vulnerability has a severe impact on the confidentiality, integrity, and availability of the backups and the backup server. This could have a huge impact during attacks such as ransomware and data theft.
What are the recommendations?
LBT Technology Group recommends the following actions to limit the impact of these vulnerabilities:
- Update Veeam Backup and Replication to the latest version.
- Create offline backups to ensure critical data remains protected, even in case of vulnerabilities before patches are applied.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.veeam.com/kb4649
- https://www.helpnetsecurity.com/2024/09/09/cve-2024-40711-exploited/
- https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/
If you have any questions, please contact LBT's Sales Engineer.