Veeam has launched security updates to tackle 4 flaws in its One IT checking and analytics system, two of which are rated critical in severity.
The list of vulnerabilities is as follows –
- CVE-2023-38547 (CVSS rating: 9.9) – An unspecified flaw that can be leveraged by an unauthenticated consumer to obtain facts about the SQL server connection Veeam A single uses to entry its configuration databases, resulting in distant code execution on the SQL server.
- CVE-2023-38548 (CVSS score: 9.8) – A flaw in Veeam A single that lets an unprivileged person with access to the Veeam One Web Consumer to obtain the NTLM hash of the account applied by the Veeam A person Reporting Service.
- CVE-2023-38549 (CVSS rating: 4.5) – A cross-web page scripting (XSS) vulnerability that makes it possible for a person with the Veeam A single Power Person purpose to obtain the obtain token of a consumer with the Veeam A person Administrator part.
- CVE-2023-41723 (CVSS score: 4.3) – A vulnerability in Veeam One particular that permits a person with the Veeam Just one Go through-Only Person function to view the Dashboard Timetable.
When CVE-2023-38547, CVE-2023-38548, and CVE-2023-41723 impression Veeam 1 versions 11, 11a, 12, CVE-2023-38548 impacts only Veeam A single 12. Fixes for the issues are out there in the beneath variations –
- Veeam A person 11 (11…1379)
- Veeam One particular 11a (11..1.1880)
- Veeam A person 12 P20230314 (12..1.2591)
Over the previous couple of months, critical flaws in the Veeam backup software program have been exploited by several menace actors, which include FIN7 and BlackCat ransomware, to distribute malware.
Customers managing the influenced variations are encouraged to halt the Veeam One Checking and Reporting products and services, switch the present information with the information furnished in the hotfix, and restart the two solutions.
Found this post exciting? Follow us on Twitter and LinkedIn to read through extra distinctive content we put up.
Some elements of this article are sourced from: