Description of Problem
Vulnerability CVE-2023-27532 in a Veeam Backup & Replication component allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database. This may lead to an attacker gaining access to the backup infrastructure hosts.
- Severity - High
- CVSS v3 score - 7.5
Affected Versions
- The vulnerable process, Veeam.Backup.Service.exe (TCP 9401 by default), allows an unauthenticated user to request encrypted credentials.
- This vulnerability affects all Veeam Backup & Replication versions.
- If you use an earlier Veeam Backup & Replication version, please upgrade to a supported version first.
- If you use an all-in-one Veeam appliance with no remote backup infrastructure components, you can alternatively block external connections to port TCP 9401 in the backup server firewall as a temporary remediation until the patch is installed.
- The patch must be installed on the Veeam Backup & Replication server. All new deployments of Veeam Backup & Replication versions 12 and 11a installed using the ISO images dated 20230223 (V12) and 20230227 (V11a) or later are not vulnerable.
Recommended Action
Customers should update to a version that resolves the vulnerability:
- 12 (build 12.0.0.1420 P20230223)
- 11a (build 11.0.1.1261 P20230227)
https://www.veeam.com/kb4424