Veeam fixes RCE flaw in backup management platform (CVE-2024-29212)
Veeam has patched a critical vulnerability (CVE-2024-29212) in Veeam Service Provider Console (VSPC) and is urging customers to implement the patch.
About CVE-2024-29212
Veeam Service Provider Console is a cloud platform used by managed services providers (MSPs) and enterprises to manage and monitor data backup operations.
“Service providers can deploy Veeam Service Provider Console to deliver Veeam-powered Backup-as-a-Service and Disaster Recovery-as-a-Service services to their customers. Enterprises can use the solution to streamline backup operations in remote and branch offices, or other locations,” the company explains.
CVE-2024-29212 exists due to an unsafe deserialization method used by the Veeam Service Provider Console server during communication between the management agent and its components. It affects VSPC versions 4.0, 5.0, 6.0, 7.0 and 8.0.
Exploiting the vulnerability – under certain conditions – may allow attackers to achieve remote code execution on the server machine on which VSPC has been installed. Attackers may thus be able to disrupt backup and disaster recovery processes – a boon to ransomware operators.
In 2023, cybercriminals exploited CVE-2023-27532, a vulnerability in Veeam Backup & Replication.
What to do?
The good news is that the vulnerability was discovered internally by Veeam and there is no mention of it being actively exploited.
“We encourage service providers using supported versions of Veeam Service Provider Console (versions 7 & 8) to update to the latest cumulative patch. Service providers using unsupported versions are strongly encouraged to upgrade to the latest version of Veeam Service Provider Console,” the company advised.
The vulnerability does not affect any other Veeam products.
Hunter.how, a search engine for internet researchers, detects over 1,600 internet-facing VSPC setups, mostly in the US.
(May 28, 2024, 02:00 p.m. ET):
Veeam has issued an “enhanced update” to address CVE-2024-29212 and is urging admins to implement it.
“Although our initial patch, issued on May 7th, effectively addressed the primary concern, a subsequent review identified an area for further improvement. To ensure comprehensive protection, we swiftly developed and released a refined patch that fully mitigates the issue.”