June 19, 2024
122023 1910 VeeamVBR1211 - Veeam VBR 12.1 CVE-2023-36558 and CVE-2023-36049 Vulnerabilities
Today, I noticed two fresh vulnerabilities on the VBR12.1 Manager and console servers. Certain .net core requirements are installed when the product is installed. Unfortunately, The .net isn't patched automatically through Windows updates.

Today, I noticed two fresh vulnerabilities on the VBR12.1 Manager and console servers. Certain .net core requirements are installed when the product is installed. Unfortunately, The .net isn’t patched automatically through Windows updates.

CVE-2023-36049–.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36049

Microsoft is releasing this security advisory to inform users of a vulnerability in .NET 6.0, .NET 7.0, and .NET 8.0 RC2. Additionally, this alert offers suggestions on how developers should update their apps to fix this vulnerability.

When untrusted URIs are sent to System .Net, a vulnerability in .NET allows for the elevation of privilege. It is possible to insert arbitrary commands into backend FTP servers using WebRequest.Create.

CVE-2023-36558–ASP.NET Core – Security Feature Bypass Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36558

Microsoft provides this security advisory to notify users about a vulnerability in ASP.NET Core 6.0, 7.0, and 8.0 RC2. Additionally, this alert offers suggestions on how developers should update their apps to fix this vulnerability.

An ASP.NET security feature bypass vulnerability allows an unauthorized user to circumvent validation on Blazor server forms, potentially leading to unwanted behaviours.

122023 1910 VeeamVBR1211 - Veeam VBR 12.1 CVE-2023-36558 and CVE-2023-36049 Vulnerabilities

Affected software:

Any ASP.NET Core Blazor 6.0 application running on .NET 6.0.24 or earlier.

Any ASP.NET Core Blazor 7.0 application running on .NET 7.0.13 or earlier.

Any ASP.NET Core Blazor 8.0 application running on .NET 8.0 RC2.

Follow the steps below to fix the VBR 12.1 CVE-2023-36558 and CVE-2023-36049 vulnerabilities.

Please backup the server before making any changes.

1. Login to the Veeam servers.

2. Open Command Prompt as administrator.

3. Programs and Features to check the .net version. The VBR 12.1 manager and console server install .net version 6.0.24 through the VeeamBackup&Replication_12.1.0.2131_20231206 iso image.

122023 1910 VeeamVBR1212 - Veeam VBR 12.1 CVE-2023-36558 and CVE-2023-36049 Vulnerabilities

4.Microsoft recommends downloading and installing patched version 6.0.25 and uninstalling the end of support .net version.

https://download.visualstudio.microsoft.com/download/pr/955c1f8b-93d8-4c32-9380-6dd18f69a135/44efbec986e7d078395ba9e45cf0e607/dotnet-runtime-6.0.25-win-x64.exe

122023 1910 VeeamVBR1213 - Veeam VBR 12.1 CVE-2023-36558 and CVE-2023-36049 Vulnerabilities

https://download.visualstudio.microsoft.com/download/pr/dc41dbfc-0cb2-453b-8e13-b96df87ec639/80632cb579c5dd86842224b9e6304221/aspnetcore-runtime-6.0.25-win-x64.exe

122023 1910 VeeamVBR1214 - Veeam VBR 12.1 CVE-2023-36558 and CVE-2023-36049 Vulnerabilities

https://download.visualstudio.microsoft.com/download/pr/52d6ef78-d4ec-4713-9e01-eb8e77276381/e58f307cda1df61e930209b13ecb47a4/windowsdesktop-runtime-6.0.25-win-x64.exe

122023 1910 VeeamVBR1215 - Veeam VBR 12.1 CVE-2023-36558 and CVE-2023-36049 Vulnerabilities

5. Programs and Features to check the .net version. You will see all of the .net version 6.0.25 installed.

6. Restart server.

Everything is fine so far, and the .net versions are patched.

I hope you enjoy this post.

Cary Sun

X: @SifuSun

Web Site: carysun.com

Blog Site: checkyourlogs.net

Blog Site: gooddealmart.com

Amazon Author: https://Amazon.com/author/carysun

ca16fbd3199de5f66b829b87082fb970?s=80&d=retro&r=g - Veeam VBR 12.1 CVE-2023-36558 and CVE-2023-36049 Vulnerabilities

Author: Cary Sun

Cary Sun has a wealth of knowledge and expertise in data center and deployment solutions. As a Principal Consultant, he likely works closely with clients to help them design, implement, and manage their data center infrastructure and deployment strategies.
With his background in data center solutions, Cary Sun may have experience in server and storage virtualization, network design and optimization, backup and disaster recovery planning, and security and compliance management. He holds CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1999. Cary is also a Microsoft Most Valuable Professional (MVP), Microsoft Azure MVP, Veeam Vanguard and Cisco Champion. He is a published author with several titles, including blogs on Checkyourlogs.net, and the author of many books.
Cary is a very active blogger at checkyourlogs.net and is permanently available online for questions from the community. His passion for technology is contagious, improving everyone around him at what they do.

Blog site: https://www.checkyourlogs.net
Web site: https://carysun.com
Blog site: https://gooddealmart.com
Twitter: @SifuSun
in: https://www.linkedin.com/in/sifusun/
Amazon Author: https://Amazon.com/author/carysun