Patch Alert Issued for Veeam Backup & Replication Software
Expect Ransomware Groups to Abuse Critical-Severity Bug to Steal Data, Experts WarnSecurity experts are urging all Veeam Backup & Replication software users to immediately update their software to patch a critical, remotely exploitable flaw.
See Also: Forrester Report: The Total Economic Impact™ Of Dell PowerProtect Cyber Recovery
Veeam first disclosed the vulnerability, tracked as CVE-2024-40711, on Thursday, when it released patches to fix 18 vulnerabilities across its product line, including five critical flaws, so designated because they can be remotely exploited to execute arbitrary code.
The update for the widely used Veeam Backup & Replication fixes flaws that are present in version 12.1.2.172 of the software, and all earlier version 12 builds. The software is used for backup and recovery across cloud, virtual and physical IT environments and works directly with such operating systems and environments as AWS, Azure, Google Cloud, Oracle, SAP Hana and Broadcom's VMware.
The company warned that no-longer-supported versions of Veeam Backup & Replication, such as version 11, for which support ceased in February, "are not tested, but are likely affected and should be considered vulnerable."
Attackers can exploit CVE-2024-40711 to remotely execute code on a Veeam Backup & Replication server without having to first authenticate to the server. The vendor rated the flaw 9.8 on the 10-point CVSS scale and credited its discovery to researcher Florian Hauser at cybersecurity service provider Code White.
The company said the flaw could be used to facilitate "full systems takeover" and that it wouldn't be immediately releasing any technical details about the vulnerability "because this might instantly be abused by ransomware gangs."
Four other flaws patched via the Thursday update to Veeam Backup & Replication are rated as high-severity because exploiting them requires an attacker to first gain a low-privileged role with the software or to have already gained access to the network.
Other updates released Thursday by Veeam address vulnerabilities in its software agent for LinuxOne, software for managing virtual and data protection environments and Service Provider Console software for managing Backup & Replication software workloads, as well as its as backup software for the Nutanix AHV virtualization platform, Oracle Linux Virtualization Manager and Red Hat Virtualization products.
Attack surface management and threat hunting platform Censys said CVE-2024-40711 is especially concerning because the vulnerability can be exploited "to gain full control of a system, manipulate data and potentially move laterally within a network, making it a relatively high-value target for threat actors."
Whether the vulnerability is already being actively exploited via in-the-wild attacks isn't clear. Even so, Censys said "its potential for extracting large volumes of data and enabling lateral movement within networks suggests it could become a target for ransomware attacks."
By exploiting the flaw, criminals could steal backup data and hold it to ransom, as well as crypto-lock the backup environment, fueling double-extortion shakedowns.
Ransomware and cybercrime groups have previously targeted known vulnerabilities in Veeam Backup & Replication, including CVE-2023-27532, which Veeam patched in March 2023. Attackers could exploit that flaw to steal encrypted credentials, allowing them to gain unauthorized access to the software and potentially pivot to other parts of the network, researchers warned.
Cybersecurity firm Group-IB reported in July that groups such as EstateRansomware appear to have begun targeting CVE-2023-27532 just weeks after its public disclosure.
Other groups targeting that flaw have included such ransomware operations such as Cuba, Akira, and the cybercrime group FIN7, which has been connected to ransomware groups such as BlackBasta - as well as other ransomware groups (see: Feds Warn of Rise in Attacks Involving Veeam Software Flaw).
Last August, the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2023-27532 to its Known Exploited Vulnerabilities catalog.