Veeam Takes Swift Action to Address Critical Vulnerabilities in ONE IT Monitoring Platform

In a recent development, Veeam has rolled out security updates to rectify four vulnerabilities identified in its ONE IT monitoring and analytics platform. Among these vulnerabilities, two have been classified as critical in severity, necessitating immediate attention.

Previously, The NGINX Ingress controller for Kubernetes has exposed itself to potential exploitation, making it susceptible to the theft of secret credentials. 

These vulnerabilities include CVE-2022-4886, CVE-2023-5043, and CVE-2023-5044, each bearing risks. 

An attacker could gain unauthorized access to sensitive data, inject arbitrary code, and steal Kubernetes API credentials. 

Atlassian’s Confluence: Data Loss Vulnerability

Atlassian’s Confluence Data Center and Server fell victim to a critical security flaw (CVE-2023-22518) that could potentially result in significant data loss if exploited by an unauthenticated attacker. 

Although it doesn’t threaten confidentiality, it was crucial to act swiftly. Atlassian advised users to disconnect instances accessible via the public internet until a patch is applied or to upgrade to a fixed version. 

Planning for the Future Threats: Google’s AI Security Initiatives

Google has expanded its Vulnerability Rewards Program to incentivize the discovery of vulnerabilities in generative artificial intelligence systems. 

This step aims to enhance AI safety and security, addressing unfair bias, model manipulation, and data misinterpretations. 

5/ And there's more.

Google has made the Generative AI App Builder easier to use. Now companies can use generative AI and Google’s semantic search technologies to build their own chatbots and search engines. pic.twitter.com/bPuClQdD2o

— Min Choi (@minchoi) June 10, 2023

Furthermore, Google uplifts AI supply chain security through open-source initiatives like Sigstore and Supply Chain Levels for Software Artifacts (SLSA). 

Something to learn from tech giants: In collaboration with Anthropic, Microsoft, and OpenAI, they’ve launched a $10 million AI Safety Fund, emphasizing their commitment to AI safety research.

Veeam Critical Vulnerabilities at a Glance

CVE-2023-38547 (CVSS score: 9.9) 

This flaw, although unspecified, poses a substantial risk. An unauthenticated user can exploit it to glean vital information about the SQL server connection employed by Veeam ONE for accessing its configuration database. Such an exploit can lead to remote code execution on the SQL server.

CVE-2023-38548 (CVSS score: 9.8) 

The second critical flaw involves Veeam ONE. It allows an unprivileged user with access to the Veeam ONE Web Client to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service.

Additional Vulnerabilities

• CVE-2023-38549 (CVSS score: 4.5) – This vulnerability falls into the cross-site scripting (XSS) category, permitting a user with the Veeam ONE Power User role to access the access token of a user endowed with the Veeam ONE Administrator role.

• CVE-2023-41723 (CVSS score: 4.3) – The fourth vulnerability concerns Veeam ONE and allows a user assigned the Veeam ONE Read-Only User role to view the Dashboard Schedule.

Versions Affected

While CVE-2023-38547, CVE-2023-38548, and CVE-2023-41723 impact Veeam ONE versions 11, 11a, and 12, CVE-2023-38548 exclusively affects Veeam ONE 12.

Available Fixes

To address these vulnerabilities, Veeam has released patches in the following versions:

• Veeam ONE 11 (11.0.0.1379)
• Veeam ONE 11a (11.0.1.1880)
• Veeam ONE 12 P20230314 (12.0.1.2591)

What Must You Do?

Take prompt action! To mitigate the risks associated with these vulnerabilities, it is recommended to suspend the Veeam ONE Monitoring and Reporting services. 

The existing files should be replaced with the provided hotfix files, and subsequently, both services need to be restarted.

Veeam Under Attack Roof

In recent months, Veeam’s backup software has been targeted by various threat actors, including well-known entities like FIN7 and BlackCat ransomware groups. 

Anyone else have their soul knocked out of them like that 😂🥲

Count Hackula and Rasputin discuss WinRAR under attack (again?), BlackCat ransomware gang wreaking havoc, exploitation of CVE-2023-20198 in Cisco IOS XE, and much more!

**UPDATE: Cisco has released a patch for… pic.twitter.com/ghL191hliX

— David Parkinson Frost (@ParkinsonFrost) November 6, 2023

These malicious actors exploited critical vulnerabilities in Veeam’s software to facilitate malware distribution.

Veeam’s proactive response to address the identified vulnerabilities is commendable, emphasizing its commitment to safeguarding its customers from potential threats and exploits.

Managing Risk is What It’s All About!

One aspect that tech providers need to understand is that instruction for patching might be challenging to some organizations as they have a complex IT infrastructure. It becomes a time-consuming process and thus sometimes lets zero-day attacks happen.

The vulnerabilities in Veeam affect older versions of Veeam ONE. Organizations that continue to use legacy systems may be more susceptible to these vulnerabilities, as they may not be inclined to upgrade to the latest versions due to compatibility issues, cost, or other constraints.

Keeping the patching delays and complexities, we have developed AI Google’s contingency planning, something to admire. The idea is to plan strategically about your risks. 

Every organization must have a specific contingency plan to meet the security risks efficiently.