RCE and File Deletion Vulnerabilities in Veeam Service Provider Console
Summary
OEM | Veeam |
Severity | Critical |
Date of Announcement | 2024-12-05 |
CVSS Score | 9.9 |
CVE | CVE-2024-42448, CVE-2024-42449 |
Exploited in Wild | No |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
Two critical vulnerabilities in the Veeam Service Provider Console (VSPC) enable attackers to perform unauthenticated remote code execution (RCE) and arbitrary file deletion. These flaws present severe threats to the infrastructure of managed service providers that depend on VSPC for their operations.
Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
Veeam Service Provider Console RCE | CVE-2024-42448 | Veeam Service Provider Console | Critical | 9.9 |
NTLM Hash Leak and Arbitrary File Deletion on Server | CVE-2024-42449 | Veeam Service Provider Console | High | 7.1 |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-42448 | VSPC v8.1.0.21377 and all earlier versions. | This critical remote code execution (RCE) vulnerability allows unauthenticated attackers to execute arbitrary code on the Veeam Service Provider Console server. It exploits a flaw in the server's handling of input, enabling attackers to compromise the entire system. | Allows attackers to execute arbitrary code on the server remotely. |
CVE-2024-42449 | VSPC v8.1.0.21377 and all earlier versions. | This vulnerability allows attackers, via an authorized VSPC management agent, to leak the NTLM hash of the VSPC server service account and delete arbitrary files on the server. Exploitation requires valid credentials for an agent authorized by the VSPC server. | Permits authorized management agents to delete arbitrary files from the VSPC server. |
Remediations
- Update Veeam Service Provider Console to version 8.1.0.21999 or later version, which addresses this vulnerability.
- Limit network exposure of VSPC and allow access only to trusted management agents.
General Recommendations
- Monitor VSPC logs to detect suspicious activities and respond promptly.
- Use strong, unique passwords for service accounts and enable multi-factor authentication (MFA) where possible.