Challenge
Vulnerabilities in Veeam ONE Agent components residing on Veeam ONE and Veeam Backup & Replication servers allow executing malicious code remotely without authentication. This may lead to gaining control over the target system. Severity of the vulnerabilities is critical, CVSS v3 score is 9.8.Cause
Veeam ONE Agent uses .NET data serialization mechanisms. The remote attacker may send malicious code to the TCP port opened by Veeam ONE Agent (TCP 2805 by default) which will not be deserialized properly. The deserialization of untrusted data is performed during TLS Handshake (vulnerability tracked as ZDI-CAN-10400) and during logging of error messages (vulnerability tracked as ZDI-CAN-10401).Solution
Hotfixes are available for the following Veeam ONE versions:- 10
- 9.5 Update 4a
The hotfix must be installed on the Veeam ONE server. Veeam ONE Agents on the Veeam Backup & Replication servers will be updated automatically after installing the hotfix. After applying the updates your Veeam ONE Agent version will be 10.0.1.750 on Veeam ONE version 10 servers and 9.5.5.4587 on Veeam ONE 9.5 Update 4a servers.
Please note, that all new deployments of Veeam ONE version 10 and version 9.5 Update 4a installed using the ISO images downloaded after 04/15/2020 are not vulnerable.
More Information
These vulnerabilities were discovered by:Michael Zanetta & Edgar Boda-Majer from Bugscale working with Trend Micro Zero Day Initiative.
[[DOWNLOAD|DONWLOAD HOTFIX FOR Veeam ONE 10|https://www.veeam.com/download_add_packs/virtualization-management-one-solution/10.0.0.750_KB3144/]]
MD5: 2D9379AE533C23ADAFD9D0FA9B461E95
SHA1: D2573BA791BAB7FDCCFDF5E6E51DE1EE05B0368A
[[DOWNLOAD|DONWLOAD HOTFIX FOR Veeam ONE 9.5 U4a|https://www.veeam.com/download_add_packs/virtualization-management-one-solution/9.5.4.4587_KB3144/]]
MD5: 6D305B39C3633047D0D916324F3F5A91
SHA1: 844DAC236330B8AF2CC3FD563235A1334C5CCD60