Veeam plugs serious holes in Service Provider Console (CVE-2024-42448, CVE-2024-42449)

Veeam has fixed two vulnerabilities in Veeam Service Provider Console (VSPC), one of which (CVE-2024-42448) may allow remote attackers to achieve code exection on the VSPC server machine.

The vulnerabilities

Veeam Service Provider Console is a cloud-enabled platform that allows enterprises to manage and monitor backup operations across their offices. It’s also used by service providers to deliver Backup-as-a-Service (BaaS) and Disaster Recovery-as-a-Service (DRaaS) services to customers.

The solution uses management agents to interact with machines in managed infrastructures that run Veeam backup, disaster recovery and IT monitoring/reporting products.

CVE-2024-42448 allows remote code execution from the VSPC management agent machine on the VSPC server machine – if the management agent is authorized on the server.

CVE-2024-42449 allows attackers to leak an NTLM hash of the VSPC server service account and delete files on the VSPC server machine – if they have a presence on the VSPC management agent machine and if the management agent is authorized on the server.

Additional information about the vulnerabilities is still under wraps.

Upgrade quickly!

Both CVE-2024-42448 and CVE-2024-42449 have been discovered during internal testing and Veeam does not mention in-the-wild exploitation.

They affect Veeam Service Provider Console 8.1.0.21377 and all earlier versions 8 and 7 builds, and have been fixed in Veeam Service Provider Console v8.1.0.21999.

“We encourage service providers using supported versions of Veeam Service Provider Console (versions 7 & 8) to update to the latest cumulative patch. Service Providers using unsupported versions are strongly encouraged to upgrade to the latest version of Veeam Service Provider Console,” the company advised.

Upgrading is the only way to plug these holes, as there is no mitigation available.