CVE-2023-38547
📋 TL;DR
This vulnerability in Veeam ONE allows unauthenticated attackers to obtain SQL server connection details for the configuration database. This information disclosure could lead to remote code execution on the SQL server hosting the Veeam ONE database. All Veeam ONE installations are affected.
💻 Affected Systems
- Veeam ONE
📦 What is this software?
One by Veeam
One by Veeam
One by Veeam
One by Veeam
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the SQL server hosting Veeam ONE configuration database, potentially leading to domain-wide compromise if SQL server has elevated privileges.
Likely Case
SQL server compromise leading to data exfiltration, credential theft, and lateral movement within the network.
If Mitigated
Limited to information disclosure about SQL connection strings without ability to exploit further due to network segmentation and access controls.
🎯 Exploit Status
Unauthenticated access makes exploitation trivial once SQL connection details are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.0.0.1420 P20230718
Vendor Advisory: https://www.veeam.com/kb4508
Restart Required: Yes
Instructions:
1. Download Veeam ONE 12.0.0.1420 P20230718 from Veeam website. 2. Run installer on Veeam ONE server. 3. Follow upgrade wizard. 4. Restart Veeam ONE services when prompted.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to Veeam ONE web interface to only trusted administrative networks.
Firewall Rules
allBlock external access to Veeam ONE ports (default 1239, 1240) at perimeter firewall.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Veeam ONE server from SQL server and other critical systems
- Monitor for unusual SQL connection attempts and review SQL server logs for unauthorized access
🔍 How to Verify
Check if Vulnerable:
Check Veeam ONE version in web interface or via 'Get-VBRServerVersion' PowerShell command. If version is below 12.0.0.1420 P20230718, system is vulnerable.Check Version:
Get-VBRServerVersion (PowerShell) or check Help > About in Veeam ONE web interfaceVerify Fix Applied:
Verify version is 12.0.0.1420 P20230718 or later using same methods. Test that unauthenticated requests to vulnerable endpoints no longer return SQL connection information.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to Veeam ONE web interface endpoints
- Unusual SQL connection attempts from Veeam ONE server IP
Network Indicators:
- Unusual traffic patterns to Veeam ONE ports from unauthorized sources
- SQL connection attempts from unexpected IPs
SIEM Query:
source="veeam_logs" AND (http_status=200 AND uri_path="/api/*" AND user_agent NOT IN authorized_agents)