Warning: Multiple Vulnerabilities In VEAAM One, Patch Immediately!
CVE-2023-38547 - CVSS 9.9
CVE-2023-38548 - CVSS 9.8
CVE-2023-38549 - CVSS 4.5
CVE-2023-41723 - CVSS 4.3
Sources
Veeam - https://www.veeam.com/kb4508
Risks
These vulnerabilities pose a significant risk as they could lead to unauthorized access, data theft, and potential system compromise. It’s recommended to apply the available hotfixes to resolve these vulnerabilities.
Description
CVE-2023-38547: This vulnerability allows an unauthenticated user to gain information about the SQL server connection that Veeam ONE uses to access its configuration database. This could potentially lead to remote code execution on the SQL server hosting the Veeam ONE configuration database.
CVE-2023-38548: This vulnerability allows an unprivileged user who has access to the Veeam ONE Web Client to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service. This could potentially lead to unauthorized access to the service.
CVE-2023-38549: This vulnerability allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role through the use of XSS. This could potentially lead to unauthorized administrative access, although the risk is reduced as it requires interaction by a user with the Veeam ONE Administrator role.
CVE-2023-41723: This vulnerability allows a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule. The risk is reduced because the user with the Read-Only role is only able to view the schedule and cannot make changes.
Recommended Actions
The Centre for Cyber Security Belgium strongly recommends Windows system administrators to upgrade the affected systems to the latest versions, which fix these issues.
References
Infosecurity Magazine - https://www.infosecurity-magazine.com/news/veeam-patches-two-critical-bugs/
Bleeping Computer - https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-b...