Veeam has remedied four vulnerabilities in its IT infrastructure monitoring and analytics platform, Veeam ONE. These vulnerabilities are identified as CVE-2023-38547, CVE-2023-38548, CVE-2023-38549, and CVE-2023-41723.
The most severe vulnerability, CVE-2023-38547 with a CVSS score of 9.9, could be exploited by an unauthenticated attacker. This vulnerability could potentially expose information about the SQL server connection that Veeam ONE uses to access its configuration database. The advisory states, “A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database.” This could possibly lead to remote code execution on the SQL server hosting the Veeam ONE configuration database. The affected versions include Veeam ONE 11, 11a, and 12.
Another critical vulnerability, CVE-2023-38548 with a CVSS score of 9.8, can be exploited by an unprivileged user with access to the Veeam ONE Web Client. This vulnerability could allow the user to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service. This vulnerability specifically affects Veeam ONE 12.
The remaining vulnerabilities, CVE-2023-38549 and CVE-2023-41723, are of medium severity. CVE-2023-38549, with a CVSS score of 4.5, could allow a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role by carrying out an XSS attack.
The final vulnerability, CVE-2023-41723 with a CVSS score of 4.3, could be exploited by a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule. This vulnerability affects Veeam ONE versions 11, 11a, and 12.
Earlier in March, Veeam patched a high-severity flaw, CVE-2023-27532, in its Veeam Backup and Replication (VBR) software. This vulnerability could be exploited by an unauthenticated user with access to the Veeam backup service to request cleartext credentials. A remote attacker could potentially exploit this flaw to access a target organization's backup systems and execute arbitrary code as 'SYSTEM.' Post the public disclosure of the vulnerability, the researchers at Horizon3’s Attack Team released technical details and a PoC exploit code.