kb4682 CVE-2024-40715 MITM against Enterprise Manager

[IanBolton]

Anyone been able to get the hotfix on from https://www.veeam.com/kb4682

I tried to copy it to my EM server, but I couldn't as the server thought there was a virus/potentially unwanted application. And now Chrome on my desktop won't download it.

[IanBolton]

update to this - I've found the reason for the issue I have - the fileserver to which I downloaded the zip before transferring it to the EM server is protected by the Microsoft ASR rules. These rules detect malware, as does virustotal.

I could work around this, by downloading to a server NOT protected in this way, but I'm wary of a potential supply-chain attack and have opened 07494670 with Veeam for advice.

[jasonede]

Did you hear back about this?

[IanBolton]

Last week I heard that it has been referred to the security team and I'd hear back this week.

[david.domask]

Hi all,

Thank you for reporting this and for sharing the case number.

While I suspect it's a false-positive, will check with our AppSec team and share this report, and will update the thread once we have more information.

[IanBolton]

I also expect it to be FP, I think it was just windows ASR being a but twitchy because 2 vendors were suspicious on virustotal. When you look at the behaviors though on virustotal, it does a hell of a lot for just replacing one dll!

And given that Veeam would be ripe for a supply-chain attack, I'm not installing the patch until I get more reassurance (we don't open EM to end users, only 4 x backup admins from designated workstations so it's a low risk vuln for us)

[david.domask]

Hi all,

Our Application Security team contends it's a false-positive. Likely some factors (distributed as .zip, file renaming, etc) triggered a false-positive. Will work to see if we can get it cleared with the relevant A/V vendors, but by all indicators, it's a false-positive.

Edit 2024-11-12: At least one AV vendor has responded and updated their scanning engine to resolve the false-positive; it may take some time for this change to be distributed.

[FrenchBlue]

Hello,

What's the situation there? The kb4682 page doesn't exist anymore at the time of writing this message.

Thanks.

[david.domask]

Hi FrenchBlue,

There appears to be an issue with the page as there have been reports of it being inaccessible intermittently from various regions. This has been reported to our internal teams and we're looking into it.

Edit: Seems to be live again. @FrenchBlue can you try in private/incognito window or with clean cache and tell if it works?

[FrenchBlue]

Hello,

Yes, the page is working again now, without any action in the browser. So what's the status, should we patch or not?

Thanks.

[david.domask]

Patch. It's a false-positive, and already one of the AV vendors has already updated their listings to stop flagging it.

And thanks for confirming the KB loads for you.

[FrenchBlue]

OK thanks, clear.

[IanBolton]

also, from my case
"Thank you for your patience in this subject. I received an update from our security team, as long as you download this file directly from us and the hash matches what we published, you are cleared to proceed - you can consider the tool alert as a false positive. "