Veeam patches high-severity backup service security vulnerability

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity level: High (CVE-2023-27532 – CVSSv3 Score 7.5) – Compromise may result in the loss of confidentiality and integrity of data in the first instance.

Veeam has released a securty patch for a backup service security vulnerability, tracked as CVE-2023-27532. It has been determined that the security flaw was caused by the Veeam.Backup.Service.exe, successful manipulation of which allows unauthenticated threat actors to request encrypted credentials.

Impact

Successful exploitation of CVE-2023-27532 allows unauthenticated threat actors to access backup infrastructure hosts after obtaining encrypted credentials stored in the VeeamVBR configuration database.

Vulnerability Detection

Veeam has patched the vulnerability for the respective products. As such, previous versions are vulnerable to potential exploits.

Affected Products

– All Veeam Backup & Replication (VBR) versions.

Containment, Mitigations & Remediations

It is strongly reccommended that users apply the relevant Veeam updates as soon as possible, in order to prevent potential exploitation of the vulnerability reported on. Veeam has released patches for VBR V11 and VBR V12.

For users that are unable to apply the security patches immeditately, a temporary workaround method has also been disclosed. In such cases, users should block external connections to port TCP 9401 using the backup server firewall to block the attack vector and secure vulnerable servers against potential exploitation attempts. However, it should be noted that this strategy should only be employed in non-distributed Veeam environments since it will also affect the mount servers’ connections to the VBR server.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available at this time.

Threat Landscape

Veeam has a significant portion of the data replication and protection software market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on. As a result, the Veeam products become a prime target. Due to the fact that data replication and protection software has become an integral component of business operations, threat actors will continue to exploit vulnerabilities contained within these products in an attempt to extract the sensitive data contained therein.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactic:

TA0006 – Credential Access

Further Information

Bleeping Computer Article
Veeam Advisory