For all systems, it is critically important to keep systems up to date. This post is a reminder for all users to refer to KB4420 to ensure Veeam Backup & Replication is up to date.
Why is this being brought up here, now?
This is being raised here in the community to remind customers about the availability of the cumulative patches for Veeam Backup & Replication. Recently there has been media stories regarding a Veeam vulnerability that was patched on March 7 of this year, however bad actors have been devising new ways to attempt to activate that vulnerability on unpatched systems. Users have received emails about the update, it’s been covered in the V12 Upgrade Center and there even is a Veeam Intelligent Diagnostics alarm for the update:
Veeam has a long-standing commitment to ensuring our products protect customers from any potential risk. As part of this, we run a Vulnerability Disclosure Program (VDP) for all our products. In mid-February, a security researcher identified and reported a vulnerability for Veeam Backup & Replication (VBR) with a Common Vulnerability Scoring System (CVSS) score of 7.5 out of 10, or high severity, as part of the program. The vulnerability could allow an unauthenticated user operating within the backup infrastructure network perimeter to request encrypted credentials which subsequently could lead to gaining access to the backup infrastructure hosts. In CVE-2023-27532, the information is consistent with our advice and the patch that has been available for many months.
How did Veeam respond?
After immediately reviewing and confirming the vulnerability, Veeam developed a patch to mitigate the vulnerability for VBR v11 and v12. We have directly communicated with all our VBR customers, a Knowledge Base article has been published detailing the issue and we have released a patch that will enable customers to immediately mitigate the vulnerability.
When a vulnerability is identified and disclosed, attackers will still try to exploit and reverse-engineer the patches to use the vulnerability on an unpatched version of Veeam software in their exploitation attempts. This underlines the importance of ensuring customers are using the latest versions of all software and patches are installed in a timely manner.
How can you keep up to date?
I recommend the following resources to keep up to date to not miss an update from Veeam:
- Watch the Veeam Community Recap, this weekly news update shows some featured content but also relays critical KB articles and new product releases.
- Subscribe to the Veeam KB Articles for the weekly update via email:
Veeam has created this page to detail the remediation of CVE-2023-27532: https://www.veeam.com/kb4424
- Veeam has created this page to detail all Veeam Security Fixes and Improvement in Veeam Backup & Replication: https://www.veeam.com/kb3103
- Veeam produced the stream “Best Practices for Cyber Resiliency with Veeam” to provide an overview of important security considerations, unique Veeam capabilities to improve your cyber resiliency practice, and to remind about the importance of patching and maintaining systems: https://www.youtube.com/watch?v=C7fAkhlZ2bM&list=PL0afnnnx_OVDJnh_fxH_iAN9h0vpQs8ip&index=4