Info
Vulnerability CVE-2023-27532 in a Veeam Backup & Replication component allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database. This may lead to an attacker gaining access to the backup infrastructure hosts.
The vulnerable process, Veeam.Backup.Service.exe (TCP 9401 by default), allows an unauthenticated user to request encrypted credentials.
The administrator should be prompted to upgrade the next time the Veeam Backup & Replication console is launched. See
Server Components Upgrade
for details.
Scope
This vulnerability affects all Veeam Backup & Replication versions prior to 12 (build 12.0.0.1420 P20230223) and 11a (build 11.0.1.1261 P20230227).
Resolution
Upgrade to a
supported version
first.
For all-in-one Veeam appliances with no remote backup infrastructure components, block external connections to port TCP 9401 in the backup server firewall as a temporary remediation until the patch is installed.
Install the patch on the Veeam Backup & Replication server. All new deployments of Veeam Backup & Replication versions 12 and 11a installed using the ISO images dated 20230223 (V12) and 20230227 (V11a) or later are not vulnerable.
The following Veeam resource may be accessed for additional information:
CVE-2023-27532
Disclaimer: One or more of the links above will take you outside the HPE website. HPE is not responsible for content outside of its domain.
RECEIVE PROACTIVE UPDATES
: Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively in your e-mail through HPE Support Alerts. Sign up for Support Alerts at the following URL:
HPE Email Preference Center.
NAVIGATION TIP:
For hints on navigating HPE.com to locate the latest drivers, patches and other support software downloads, refer to the
Navigation Tips document.
SEARCH TIP:
For hints on locating similar documents on HPE.com, refer to the
Search Tips document.
