• EN

Veeam VBR 12.1 CVE-2023-36558 and CVE-2023-36049 Vulnerabilities

CarySun
Userlevel 7
Badge +7
  • CarySun
  • Veeam Vanguard, Veeam Legend
  • 192 comments

Today, I noticed there are two fresh vulnerabilities on the VBR12.1 Manager and console servers. Certain .net core requirements are installed when the product is installed. Unfortunately, The .net isn't patched automatically through Windows updates.

 

CVE-2023-36049--.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36049

This security advisory is being released by Microsoft to inform users of a vulnerability present in .NET 6.0, .NET 7.0, and .NET 8.0 RC2. Additionally, this alert offers suggestions on how developers should update their apps to fix this vulnerability.

When untrusted URIs are sent to System .Net, a vulnerability in .NET allows for the elevation of privilege. It is possible to insert arbitrary commands into backend FTP servers using WebRequest.Create.

 

CVE-2023-36558--ASP.NET Core - Security Feature Bypass Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36558

Microsoft provides this security advisory to notify users about a vulnerability in ASP.NET Core 6.0, 7.0, and 8.0 RC2. Additionally, this alert offers suggestions on how developers should update their apps to fix this vulnerability.

An ASP.NET security feature bypass vulnerability allows an unauthorized user to circumvent validation on Blazor server forms, potentially leading to unwanted behaviours.

Affected software:

Any ASP.NET Core Blazor 6.0 application running on .NET 6.0.24 or earlier.

Any ASP.NET Core Blazor 7.0 application running on .NET 7.0.13 or earlier.

Any ASP.NET Core Blazor 8.0 application running on .NET 8.0 RC2.

 

Follow the steps below to fix the VBR 12.1 CVE-2023-36558 and CVE-2023-36049 vulnerabilities.

Please backup the servers before making any changes.

 

1.Login to the Veeam servers.

2.Open Command Prompt as administrator.

3.Programs and Features to check the .net version. You will see the VBR 12.1 manager and console server are installing .net version 6.0.24 through the VeeamBackup&Replication_12.1.0.2131_20231206 iso image.

4.Microsoft recommends downloading and installing patched version 6.0.25 and uninstalling the end of support .net version.

https://download.visualstudio.microsoft.com/download/pr/955c1f8b-93d8-4c32-9380-6dd18f69a135/44efbec986e7d078395ba9e45cf0e607/dotnet-runtime-6.0.25-win-x64.exe

https://download.visualstudio.microsoft.com/download/pr/dc41dbfc-0cb2-453b-8e13-b96df87ec639/80632cb579c5dd86842224b9e6304221/aspnetcore-runtime-6.0.25-win-x64.exe

https://download.visualstudio.microsoft.com/download/pr/52d6ef78-d4ec-4713-9e01-eb8e77276381/e58f307cda1df61e930209b13ecb47a4/windowsdesktop-runtime-6.0.25-win-x64.exe

5.Programs and Features to check the .net version. You will see all of the .net version 6.0.25 installed.

6.Restart server.

Everything is fine so far, and the .net versions are patched.

Veeam Vanguard | Veeam Legend | VMCE 2024 | Microsoft MVP | Cisco Insider Champion | CISCO CCIE #4531 | Web Site - carysun.com | Blog Site - gooddealmart.com | Blog Site - checkyourlogs.net | X: @SifuSun | LinkedIn: https://www.linkedin.com/in/sifusun/ | Amazon Author: https://Amazon.com/author/carysun

10 comments

CarySun
Userlevel 7
Badge +7

The Vulnerabilities were fixed at 12.1.1.56.

https://www.veeam.com/kb4510

Veeam Vanguard | Veeam Legend | VMCE 2024 | Microsoft MVP | Cisco Insider Champion | CISCO CCIE #4531 | Web Site - carysun.com | Blog Site - gooddealmart.com | Blog Site - checkyourlogs.net | X: @SifuSun | LinkedIn: https://www.linkedin.com/in/sifusun/ | Amazon Author: https://Amazon.com/author/carysun
TylerJurgens
Userlevel 7
Badge +6

The Vulnerabilities were fixed at 12.1.1.56.

https://www.veeam.com/kb4510

Just a bit of clarity on this, if you installed Veeam 12.1.1.56 *prior* to Jan 19th, you should update VBR as @CarySun advised above.

Only the 12.1.1.56 ISO was patched to include the patched .NET version. So if you install VBR 12.1.1.56 today, you’re good to go. If you installed it a week ago, you still need to patch your .NET on the VBR server.

Tyler Jurgens | Cloud Infrastructure Engineer | Veeam Legend x2 | vExpert ** | VMSP/VMTSP | VCP-2020 | VSP/VTSP | Tanzu Vanguard | VMUG Calgary Leader | VUG Canada Leader | https://explosive.cloud | @Tyler_Jurgens | BlueSky: @tylerjurgens.bsky.social
CarySun
Userlevel 7
Badge +7

The Vulnerabilities were fixed at 12.1.1.56.

https://www.veeam.com/kb4510

Just a bit of clarity on this, if you installed Veeam 12.1.1.56 *prior* to Jan 19th, you should update VBR as @CarySun advised above.

Only the 12.1.1.56 ISO was patched to include the patched .NET version. So if you install VBR 12.1.1.56 today, you’re good to go. If you installed it a week ago, you still need to patch your .NET on the VBR server.

I think you need to ensure you are using VeeamBackup&Replication_12.1.1.56_20240116.iso. It should be good. The date is not important.😂

Veeam Vanguard | Veeam Legend | VMCE 2024 | Microsoft MVP | Cisco Insider Champion | CISCO CCIE #4531 | Web Site - carysun.com | Blog Site - gooddealmart.com | Blog Site - checkyourlogs.net | X: @SifuSun | LinkedIn: https://www.linkedin.com/in/sifusun/ | Amazon Author: https://Amazon.com/author/carysun
leduardoserrano
Userlevel 7
Badge +6

Thanks for sharing, @CarySun !

Luiz Eduardo Serrano. Cloud Architect, Systems Engineer for Veeam and Object First. Veeam Vanguard/VMCA 2024/VMCE. VMware Tanzu Vanguard 2024/VCP Security/VMware User Group, 4xHPE Master ASE/Instructor, RedHat Ansible SE/Instructor, AWS Architect, Nutanix NCA, Cisco-HPE Cloud & DC champion. My blog: https://cloudnroll.com
coolsport00
Userlevel 7
Badge +17

Wasn’t aware...thanks for the share Cary.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
vAdmin
Userlevel 7
Badge +2

Thank you for the sharing master @CarySun 🙏🏼

Microsoft Azure Solutions Architect Expert, VMware Certified Professional - DCV 7, Citrix Certified Professional Virtualization (CCP-V), ITIL Practitioner
S
Userlevel 2

 

Hi All,

 

We have upgraded Veeam to 12.1.1.56. we are still seeing old ASP.NET Core 6.0.12 also present with the new one.

Will Veeam not remove the old ASP.NET Core 6.0.12?

 

Regards,

Surya

 

Regards, Surya
Mildur
Userlevel 7
Badge +12

Hi Surya

 

.NET is not maintained by our product updates.

 

We include the latest .NET on our ISO for new Veeam Backup & Replication deployments, but we don‘t update .NET when you do update to a new patch release.

Please download the latest .NET 6.* directly from Microsoft website. I believe Windows updates should also be able to take care of .NET updates.

 

Best,

Fabian

Product Management Analyst @ Veeam Software
S
Userlevel 2

 

Thanks Fabin

Regards, Surya
N

.NET 6 and .NET 7 are both EOL at the end of this year.  Is .NET 8 currently supported?

Comment


Terms & Conditions