Yesterday (Nov 6th, 2023) Veeam released a hotfix to mitigate four critical issues in VeeamONE (VONE).
KB4508: CVE-2023-38547 | CVE-2023-38548 | CVE-2023-38549 | CVE-2023-41723 (veeam.com)
Two of them score 9.8 and 9.9. One of those two allows for remote code execution on the SQL server used for VONE, while the other enables a non-privileged VONE portal user to gain the NTLM hash of the user that runs the reporting service.
Therefore it is absolutely mandatory to patch those ASAP.
Patching is fast and easy, as long as you’re on the most recent Version already (Veeam ONE 12 P20230314, 12.0.1.2591).
The patch comes as a zip of ~1,2MB in size.
It unpacks into a folder structure as shown. It consists of 8 files in total:
First of all you must check if the most recent edition is used. This can easily be done using PS:
Get-WmiObject -Class Win32_Product | where {$_.Name -like "Veeam ONE*"} | select Name, VersionI’ve been on the correct version already.
If not, you first have to patch using the regular patch and only afterwards apply the hotfix
Now we shall stop the following services:
- Veeam ONE Monitoring Service
- Veeam ONE Reporting Service
This can of course be done on an administrative PS:
Now we can copy the files of the hotfix to their destination folders within the VONE server. Do this also in an administrative console as we write to protected folders.
Let’s assume we unzipped our hotfix inside c:\temp:
robocopy 'C:\temp\HFKB4508_12.0.1.2591' 'C:\Program Files\Veeam\Veeam ONE\Veeam ONE Reporter Server ' * /sMind the blank character behind the destination path before the quote. This is due to a bug in robocopy with path names having blanks inside. /s makes sure to grab the two subfolders as well.
Having copied the 8 files of the patch, you can start the services again:
Now it’s time to check if VONE still works:
Take note that the hotfix won’t be reflected in the version #.
We’re still on the most recent patch - but have applied the hotfix successfully. 😎
