Veeam Releases Patch for Its Two Critical Vulnerabilities in Service Provider Console

Cybersecurity researchers have identified two critical security vulnerabilities in Veeam Service Provider Console (VSPC) that could allow attackers to execute remote code and leak sensitive information. The company has released patches to address these high-severity flaws affecting all versions of VSPC 8.1.0.21377 and earlier builds.

"These vulnerabilities pose significant risks to organizations using the affected versions of Veeam Service Provider Console, particularly in managed service provider environments," security researchers said in the disclosure.

The more severe of the two flaws, tracked as CVE-2024-42448 with a CVSS score of 9.9, enables attackers to perform Remote Code Execution (RCE) on the VSPC server machine when a management agent is authorized on the server. This critical vulnerability could potentially give attackers complete control over affected systems.

The second vulnerability, identified as CVE-2024-42449 with a CVSS score of 7.1, allows attackers to leak NTLM hashes of the VSPC server service account and delete files on the VSPC server machine, but only under conditions where the management agent is authorized on the server.

Key Details About the Vulnerabilities:

Veeam has addressed these security issues in VSPC version 8.1.0.21999. The company strongly recommends that all service providers using supported versions of VSPC (versions 7 & 8) update to the latest cumulative patch immediately.

"Once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software," the company warned in its security advisory. "This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay."

Veeam's Security Response

As part of its commitment to product security, Veeam operates a Vulnerability Disclosure Program (VDP) and performs extensive internal code audits. When vulnerabilities are identified, the company develops and releases patches promptly while maintaining transparency through public disclosures.

Service providers using unsupported versions are particularly at risk, as these versions are not tested but are likely affected and should be considered vulnerable. Organizations are strongly encouraged to upgrade to the latest version of Veeam Service Provider Console to ensure their systems remain protected against these security threats.

The discovery of these vulnerabilities highlights the ongoing importance of maintaining up-to-date security patches and robust security practices in managed service provider environments. Service providers are advised to review their Veeam deployments and apply the necessary updates as soon as possible to protect their infrastructure and client data from potential exploitation.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: