Veeam Security Bulletin (September 2024)

[apolloxm]

Veeam should listen the voice of the customer. there are a lot of customers here are complaining about this.

[pirx]

As always, thanks for your engagement. I'm looking forward to see if this will be the first realease in the past years where we don't need 1-5 hotfixes As I'm on vacation currently, I did not not check everything but it looks like IBM storage integration is now available as plugin. Without the security issue I would be very careful to update as we already lost datastores because of this integration (wrong sequence of ssh commands - which was fixed).

But I guess Veeam does not leave us much of a choice.

[RubinCompServ]

This will be the feature of Linux-based VBR appliance in V13. Users will be given a chance to initiate an update manually first, but will be forced into automated updated after X days if they don't. But only within a major release of course, no forced updates across major versions.

Which, of course, begs the question: what's the release date for v13?

(You brought it on yourself!)

[Gostev]

There were no known exploitation of this vulnerability at the time we disclosed it. Our Information Security team monitors darknet and uses many other special sources not available to ordinary mortals like me, but they do notify us the moment something pops up on their radar.

Update from those good folks: a proof of concept exploit for CVE-2024-40711 has been published on the Internet. So we can expect threat actors will leverage this to attack any Internet-facing (that's a no no) vulnerable backup servers almost immediately. Needless to say, backup servers not reachable from the Internet can only be attacked if bad actors make it inside your backup infrastructure network perimeter through some other means first. Either way, if anyone still hasn’t patched, now is definitely the time.

N.B. This took exactly 2 weeks from the day of disclosure.

[m.novelli]

VMware vCenter super severity megabug patched two days ago: https://support.broadcom.com/web/ecx/su ... es/0/24968

Also VMware is aligned to Veeam to patch "only" the latest version, now I'm forced to upgrade all customers from vCenter 8.0 U2 to 8.0 U3 to benefit from this security patch , and have all customers upgraded to Veeam 12.2 to be compatible with vCenter 8.0 U3

Kudos for providing patch for vCenter 7.x , I still have some around

Sysadmin job is burning my brain and annihilating time for myself and my family

Marco

[mjr.epicfail]

Hi Marco,

Difference here is that VMware/Broadcom is patching with a maintenance release on the latest available Minor release of both still supported Major release.
Veeam release a new minor with 12.2 and patched the vulnerabilities within this new minor. The community, myself included, would have like the same vulnerabilities patched in a maintenance release for minor 12.1.
However as @Gostev already stated, it wasn't possible because there was so much rewrite of code to patch these CVE's that it was to big of a change to release in a maintenance release.