Veeam Service Provider Console is vulnerable to two security flaws tracked as CVE-2024-42448 and CVE-2024-42449. Both vulnerabilities were discovered during the internal testing at Veeam. Successful exploitation of the vulnerabilities may allow an attacker to execute arbitrary code or leak the NTLM hash of the VSPC server service account and delete files on the VSPC server machine.
Veeam Service Provider Console (VSPC) is a cloud-enabled platform for centralized management and monitoring of data protection operations and services. It allows users to centralize the management of all the Veeam Backup & Replication workloads, monitor executions, and quickly relaunch failed jobs, allowing us to be faster and more proactive. The platform serves as a remote-managed BaaS (Backend as a Service) and DRaaS (Disaster Recovery as a Service).
CVE-2024-42448
The vulnerability has a critical severity rating with a CVSS score of 9.9. If a management agent is authorized on the server, an attacker may execute arbitrary code on the VSPC server from the VSPC management agent machine.
CVE-2024-42449
The vulnerability has a high severity rating with a CVSS score of 7.1. If a management agent is authorized on the server, an attacker may leak an NTLM hash of the VSPC server service account and delete files on the VSPC server machine.
Affected Versions
The vulnerabilities affect Veeam Service Provider Console 8.1.0.21377 and all earlier versions 8 and 7 builds.
Mitigation
Customers must upgrade to Veeam Service Provider console version 8.1.0.21999 to patch the vulnerabilities.
Please refer to the Veeam Security Advisory (KB4679) for more information.
Qualys Detection
Qualys customers can scan their devices with QID 382506 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.veeam.com/kb4679
