Veeam warns to install patches to fix a bug in its Backup & Replication product

Veeam
addressed
a
high-severity
vulnerability
in
the
Backup
Service
that
impacts
Backup
&
Replication
software.

Veeam
addressed
a
high-severity
vulnerability
in
the
Backup
Service,
tracked
as
CVE-2023-27532
(CVSS
v3
score: 7.5),
that
impacts
all
versions
of
Backup
&
Replication
software
versions.

“Vulnerability CVE-2023-27532
in
Veeam
Backup
&
Replication
component
allows
to
obtain
encrypted
credentials
stored
in
the
configuration
database.
This
may
lead
to
gaining
access
to
the
backup
infrastructure
hosts.”
reads
the


advisory
published
by
the
company.

An
unauthenticated
attacker
can
exploit
the
vulnerability
to
obtain
the
credentials
stored
in
the
VeeamVBR
configuration
database
and
use
them
to
access
backup
infrastructure
hosts.

According
to
the
advisory,
the
root
cause
of
the
problem
is
the
vulnerable
Veeam.Backup.Service.exe
(TCP
9401
by
default)
process
that
allows
an
unauthenticated
user
to
request
encrypted
credentials.

The
flaw
was
addressed
with
the
release
of
the
following
Veeam
Backup
&
Replication
build
numbers:

The
company
credited
the
security
researcher
known
as
Shanigen
for
reporting
the
CVE-2023-27532
flaw
in
mid-February.

Veeam
also
provides
a
workaround
in
case
customers
can’t
immediately
apply
the
security
updates
and
are
using
an
all-in-one
appliance
with
no
remote
backup
infrastructure
components.
The
vendor
recommends
blocking
external
connections
to
port
TCP
9401
in
the
backup
server
firewall.

Follow
me
on
Twitter:


@securityaffairs
and


Facebook
and


Mastodon

Pierluigi Paganini

(SecurityAffairs –

hacking,
CVE-2023-27532)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts