Skip to main content
  • EN

Today, I noticed there are two fresh vulnerabilities on the VBR12.1 Manager and console servers. Certain .net core requirements are installed when the product is installed. Unfortunately, The .net isn't patched automatically through Windows updates.

 

CVE-2023-36049--.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36049

This security advisory is being released by Microsoft to inform users of a vulnerability present in .NET 6.0, .NET 7.0, and .NET 8.0 RC2. Additionally, this alert offers suggestions on how developers should update their apps to fix this vulnerability.

When untrusted URIs are sent to System .Net, a vulnerability in .NET allows for the elevation of privilege. It is possible to insert arbitrary commands into backend FTP servers using WebRequest.Create.

 

CVE-2023-36558--ASP.NET Core - Security Feature Bypass Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36558

Microsoft provides this security advisory to notify users about a vulnerability in ASP.NET Core 6.0, 7.0, and 8.0 RC2. Additionally, this alert offers suggestions on how developers should update their apps to fix this vulnerability.

An ASP.NET security feature bypass vulnerability allows an unauthorized user to circumvent validation on Blazor server forms, potentially leading to unwanted behaviours.

Affected software:

Any ASP.NET Core Blazor 6.0 application running on .NET 6.0.24 or earlier.

Any ASP.NET Core Blazor 7.0 application running on .NET 7.0.13 or earlier.

Any ASP.NET Core Blazor 8.0 application running on .NET 8.0 RC2.

 

Follow the steps below to fix the VBR 12.1 CVE-2023-36558 and CVE-2023-36049 vulnerabilities.

Please backup the servers before making any changes.

 

1.Login to the Veeam servers.

2.Open Command Prompt as administrator.

3.Programs and Features to check the .net version. You will see the VBR 12.1 manager and console server are installing .net version 6.0.24 through the VeeamBackup&Replication_12.1.0.2131_20231206 iso image.

4.Microsoft recommends downloading and installing patched version 6.0.25 and uninstalling the end of support .net version.

https://download.visualstudio.microsoft.com/download/pr/955c1f8b-93d8-4c32-9380-6dd18f69a135/44efbec986e7d078395ba9e45cf0e607/dotnet-runtime-6.0.25-win-x64.exe

https://download.visualstudio.microsoft.com/download/pr/dc41dbfc-0cb2-453b-8e13-b96df87ec639/80632cb579c5dd86842224b9e6304221/aspnetcore-runtime-6.0.25-win-x64.exe

https://download.visualstudio.microsoft.com/download/pr/52d6ef78-d4ec-4713-9e01-eb8e77276381/e58f307cda1df61e930209b13ecb47a4/windowsdesktop-runtime-6.0.25-win-x64.exe

5.Programs and Features to check the .net version. You will see all of the .net version 6.0.25 installed.

6.Restart server.

Everything is fine so far, and the .net versions are patched.

The Vulnerabilities were fixed at 12.1.1.56.

https://www.veeam.com/kb4510

The Vulnerabilities were fixed at 12.1.1.56.

https://www.veeam.com/kb4510

Just a bit of clarity on this, if you installed Veeam 12.1.1.56 *prior* to Jan 19th, you should update VBR as @CarySun advised above.

Only the 12.1.1.56 ISO was patched to include the patched .NET version. So if you install VBR 12.1.1.56 today, you’re good to go. If you installed it a week ago, you still need to patch your .NET on the VBR server.

The Vulnerabilities were fixed at 12.1.1.56.

https://www.veeam.com/kb4510

Just a bit of clarity on this, if you installed Veeam 12.1.1.56 *prior* to Jan 19th, you should update VBR as @CarySun advised above.

Only the 12.1.1.56 ISO was patched to include the patched .NET version. So if you install VBR 12.1.1.56 today, you’re good to go. If you installed it a week ago, you still need to patch your .NET on the VBR server.

I think you need to ensure you are using VeeamBackup&Replication_12.1.1.56_20240116.iso. It should be good. The date is not important.😂

Thanks for sharing, @CarySun !

Wasn’t aware...thanks for the share Cary.

Thank you for the sharing master @CarySun 🙏🏼

 

Hi All,

 

We have upgraded Veeam to 12.1.1.56. we are still seeing old ASP.NET Core 6.0.12 also present with the new one.

Will Veeam not remove the old ASP.NET Core 6.0.12?

 

Regards,

Surya

 

Hi Surya

 

.NET is not maintained by our product updates.

 

We include the latest .NET on our ISO for new Veeam Backup & Replication deployments, but we don‘t update .NET when you do update to a new patch release.

Please download the latest .NET 6.* directly from Microsoft website. I believe Windows updates should also be able to take care of .NET updates.

 

Best,

Fabian

 

Thanks Fabin

.NET 6 and .NET 7 are both EOL at the end of this year.  Is .NET 8 currently supported?

Comment


Terms & Conditions