...
BugZero found this defect 308 days ago.
The information below regarding VDDK library inclusion within the Veeam Transport Service is relevant only to versions of Veeam Backup & Replication older than version 12.1.2 (see notice at the top of this article for more information). This Veeam KB article was created to address customers' concerns about the detection of libcurl by their security software on machines where the Veeam Transport Service is installed. Libcurl is a component of VMware VDDK (Virtual Disk Development Kit), which Veeam Backup & Replication redistributes to be able to protect VMware vSphere environments. Veeam Backup & Replication includes VDDK with the Veeam Transport Service package, which is deployed on managed machines for data movement purposes. A single Veeam Transport package is used for all situations where any portion of the Veeam Transport Services capabilities would be needed. Therefore, any server with the Veeam Transport Service installed will have VDDK libraries, regardless of whether the machine is part of a VMware vSphere backup infrastructure.
Veeam Backup & Replication is not vulnerable to CVE-2023-38545 because Veeam Backup & Replication does not use SOCKS5 protocol.
The solution is to upgrade to the latest version of Veeam Backup & Replication. Starting with the release of Veeam Backup & Replication 12.1.2, the VDDK libraries, which contain the libcurl library, are no longer included with the Veeam Transport package. After upgrading, the Veeam Transport Package on remote components will be updated, and the VDDK Library pack will only be deployed on components where it is needed (VMware Backup Proxies). Additionally, Veeam Backup & Replication 12.1.2 included an updated VDDK library to address the libcurl (CVE-2023-38545) concern.
NIST National Vulnerability Database: CVE-2023-38545 Detail curl Documentation: SOCKS5 heap buffer overflow