Vulnerability CVE-2023-27532 - Applying Patch


Userlevel 7
Badge +11

Recently we had a vulnerability on Veeam Backup & Replication called CVE-2023-27532.

So today, I’m going to show how easy is update VBR and install the patch to correct this threat.

 

According with KB4424, we need to download the patch correctly to v11 or v12. In my case I going to update a v12 environment.

 

So, the first thing is download patch:

 

After that we only to unzip the downloaded file:

 

The installation is really simple. 

 

We only need next, next, finish:

 

I prefer to do not check box to update components automatically. We can do that as a final step after installation:

 

Just click finish:

 

Now we can open our VBR console and update the last component:

 

At the end we can check that Veeam Backup & Replication is on 12.0.0.1420 P20230223:

 


12 comments

Userlevel 4
Badge

Nicely done! Please post how you updated the other components that were excluded in the automatic update process.  Thanks.

Userlevel 7
Badge +21

Excellent write-up Mateus. Well done 👍

Userlevel 7
Badge +11

Nicely done! Please post how you updated the other components that were excluded in the automatic update process.  Thanks.

Is one of the lasts images of the post. It is a simple step. You can check it here:

Server Components Upgrade - User Guide for VMware vSphere (veeam.com)

 

For this patch only VBR component is necessary.

 

Userlevel 7
Badge +6

Thanks for this info.  Super helpful.  Fortunately, I did all (or most of) my upgrades and patching through the Service Provider Console.  Upgrades were a little hit and miss, but the patching went great!  Planning a blog post on that one as soon as I can find the time!

I have a small test environment with Veeam 12 and Hyper-V Windows 2022. Backup worked for about 3 weeks with Release 12. After installing P20230223 all my jobs failed with:

Failed to create VM recovery checkpoint (mode: Veeam application-aware processing) Details: Unable to perform application-aware processing because connection to the guest could not be established
Error: Unable to perform application-aware processing because connection to the guest could not be established
Processing finished with errors at 10.03.2023 08:35:33

For the test I'm using an NFR license, so it's not possible to open a case. After removing Veeam and reinstall GA it worked as before. Any idea what happened with this patch?

Userlevel 7
Badge +13

Today the exploit is been released, so if you didn’t, PATCH NOW.

https://www.bleepingcomputer.com/news/security/exploit-released-for-veeam-bug-allowing-cleartext-credential-theft/

Userlevel 7
Badge +8

Hello guys just for your information if you apply some hardening on your servers, espescialy if you have change the “Debug program” you could have the following error message “Not All Privileges are Assigned to Caller error during upgrade/install”

More information here: https://www.veeam.com/kb2465

Userlevel 7
Badge +11

Just passing to say that you can vote on me for the blog of the March here:

Blog of the Month in March | Veeam Community Resource Hub

 

It is easy and you only need chose my post for that.

Userlevel 7
Badge +6

 

Boss man asked me on Monday about the exploit as it got new press with the release.  Told him it was patched nearly two weeks ago via the console.  Love it!

Userlevel 7
Badge +8

just to share with the community, i had the unpleasant surprise if you have some private fix deployed on your vbr. It could be not merged with the new patch, you should ask to the support to rebuild it.

@HannesK @Mildur Were you aware of that?

Userlevel 7
Badge +12

Yes. We have some ideas to solve such issues for future updates.

https://forums.veeam.com/post482048.html#p482048

 

Best,

Fabian

Userlevel 7
Badge +21

Yes. We have some ideas to solve such issues for future updates.

https://forums.veeam.com/post482048.html#p482048

 

Best,

Fabian

That is great 👍

Comment