Please be aware of two newly identified vulnerabilities in the “Veeam Backup & Replication” software.

These vulnerabilities could potentially be exploited by malicious actors to gain unauthorised access to backups, with the intent to steal or corrupt data. ONGC Systems utilises Veeam for backing up on-premise servers and data storage. It is important to note that customers using cloud-only SaaS applications (i.e., those without local server or data storage infrastructure) are not impacted by these vulnerabilities.

Vulnerability NamesCVE-2024-4071, CVE-2024-40713, CVE-2024-40710, CVE-2024-39718, CVE-2024-40714
SeverityCRITICAL
CVSS9.8, 8.8, 8.8, 8.1, 8.3
Affected ProductsVeeam Backup & Replication

Description:

CVE-2024-4071 – A vulnerability allowing unauthenticated remote code execution (RCE).

CVE-2024-40713 – A vulnerability that allows a user who has been assigned a low-privileged role within Veeam Backup & Replication to alter Multi-Factor Authentication (MFA) settings and bypass MFA.

CVE-2024-40710 – A series of related high-severity vulnerabilities, the most notable enabling remote code execution (RCE) as the service account and extraction of sensitive information (saved credentials and passwords). Exploiting these vulnerabilities requires a user who has been assigned a low-privileged role within Veeam Backup & Replication.

CVE-2024-39718 – A vulnerability that allows a low-privileged user to remotely remove files on the system with permissions equivalent to those of the service account.

CVE-2024-40714 – A vulnerability in TLS certificate validation allows an attacker on the same network to intercept sensitive credentials during restore operations.

What this means for all ONGC Customers:

ONGC Systems has proactively addressed the identified vulnerabilities by implementing the necessary updates. Last week, we identified the affected software instances across our customer base and have since applied the updates and rebooted the affected servers as required. All Veeam instances running on supported operating systems (Windows Server 2016 and later) have now been patched and secured. The vulnerabilities have been resolved, and no further action is needed.

Important Notice: If your servers are currently operating on “Windows Server 2012R2” or earlier versions, the necessary patches to address the vulnerabilities cannot be applied due to support limitations. We strongly recommend contacting your Customer Relationship Manager to discuss upgrading your operating system to a more recent version.