Veeam Security Advisory: Resolved Vulnerability CVE-2023-27532

Veeam Software, Inc. had published a security advisory concerning its Backup & Replication software.

KB ID: 4424
Product: Veeam Backup & Replication
Published: 2023-03-07
Last modified: 2023-03-08

Challenge
Vulnerability CVE-2023-27532 in Veeam Backup & Replication component allows to obtain encrypted credentials stored in the configuration database. This may lead to gaining access to the backup infrastructure hosts.

Severity: High
CVSS v3 score: 7.5

Cause
The vulnerable process, Veeam.Backup.Service.exe (TCP 9401 by default), allows an unauthenticated user to request encrypted credentials.

Solution
This vulnerability is resolved in the following Veeam Backup & Replication build numbers:

• 12 (build 12.0.0.1420 P20230223)

• 11a (build 11.0.1.1261 P20230227)

Notes:

• This vulnerability affects all Veeam Backup & Replication versions.

• If you use an earlier Veeam Backup & Replication version, upgrade to a supported version first.

• If you use an all-in-one Veeam appliance with no remote backup infrastructure components, you can alternatively block external connections to port TCP 9401 in the backup server firewall as a temporary remediation until the patch is installed.

• The patch must be installed on the Veeam Backup & Replication server. All new deployments of Veeam Backup & Replication versions 12 and 11 installed using the ISO images dated 20230223 (V12) and 20230227 (V11) or later are not vulnerable.

Information
This vulnerability was reported by Shanigen.

Correction: This article initially listed the vulnerability ID as CVE-2023-27530, the correct vulnerability ID is CVE-2023-27532.