Security Advisory: Critical Vulnerabilities in Veeam Service Provider Console (VSPC)

Veeam has released urgent security updates to address two critical vulnerabilities affecting its Service Provider Console (VSPC). These flaws, tracked as CVE-2024-42448 (Critical, CVSS 9.9) and CVE-2024-42449 (High, CVSS 7.1), could enable attackers to perform remote code execution (RCE) or extract sensitive NTLM hashes, posing severe risks to backup and disaster recovery operations.

Organizations using vulnerable versions of VSPC are strongly advised to update to the latest version 8.1.0.21999 immediately.

For detailed information and patch instructions, visit Veeam’s advisory: Veeam Advisory KB4679.

Critical Vulnerabilities in Veeam Service Provider Console (VSPC) Technical Overview

CVE-2024-42448: Remote Code Execution (Critical, CVSS 9.9)

• Impact: Allows attackers to execute arbitrary code remotely from an authorized VSPC management agent machine, granting full control of the VSPC server.
• Risk: Enables attackers to disrupt backup and recovery operations, exfiltrate sensitive data, or escalate attacks.

CVE-2024-42449: NTLM Hash Leak and File Deletion (High, CVSS 7.1)

• Impact: Permits the extraction of NTLM hashes from the VSPC server service account and unauthorized file deletion.
• Risk: Allows attackers to escalate privileges, compromise critical resources, and disrupt operations.

Affected Versions:

• Veeam Service Provider Console (VSPC) versions 8.1.0.21377 and earlier (including all builds of versions 8 and 7).

Exploitation Conditions:

• The vulnerabilities require the VSPC management agent to be authorized on the server for exploitation.

What We Suggest to Mitigate Critical Vulnerabilities in Veeam Service Provider Console (VSPC)

1. Update Immediately:
   • Upgrade to VSPC version 8.1.0.21999 to address both CVE-2024-42448 and CVE-2024-42449.
   • For unsupported versions, update to a supported release to ensure protection against vulnerabilities.
2. Restrict Access:
   • Limit access to the VSPC management agent to trusted users and networks.
   • Regularly audit and enforce strict access controls.
3. Monitor for Suspicious Activity:
   • Implement network monitoring to detect anomalous behavior, such as unauthorized access attempts or file deletions.
   • Look for indicators of exploitation, such as unexpected RCE activity or unusual NTLM traffic.
4. Prioritize Backup Security:
   • Ensure all systems involved in backup and recovery operations are fully patched and monitored.
   • Educate IT staff on the importance of securing backup solutions, as they are critical targets for ransomware and other attacks.
5. Refer to Veeam’s Advisory for Details:
   • For patching instructions and technical insights, consult Veeam Advisory KB4679.