CVE-2023-38548 Overview
CVE-2023-38548 is a credential disclosure vulnerability in Veeam ONE that allows an unprivileged user with access to the Veeam ONE Web Client to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service. This vulnerability exposes sensitive authentication credentials that could be leveraged for further attacks within an organization's network environment.
Critical Impact
An attacker with basic authenticated access to the Veeam ONE Web Client can steal NTLM hashes from the Reporting Service account, potentially enabling pass-the-hash attacks, credential cracking, or lateral movement within the network.
Affected Products
- Veeam ONE version 12.0.0.2498
- Veeam ONE version 12.0.1.2591
Discovery Timeline
- 2023-11-07 - CVE-2023-38548 published to NVD
- 2025-03-06 - Last updated in NVD database
Technical Details for CVE-2023-38548
Vulnerability Analysis
This vulnerability is classified under CWE-522 (Insufficiently Protected Credentials), indicating a fundamental weakness in how the Veeam ONE application handles and protects sensitive credential information. The Veeam ONE Reporting Service runs under a specific Windows account, and the vulnerability allows the NTLM hash of this service account to be extracted by users who should not have access to such privileged information.
The attack requires network access and low-privilege authentication to the Veeam ONE Web Client. Once authenticated, the attacker can exploit the vulnerability without any user interaction. The impact is focused on confidentiality, as the exposed NTLM hash represents sensitive credential material that can be used for subsequent attacks.
Root Cause
The root cause of this vulnerability lies in insufficiently protected credentials within the Veeam ONE Web Client interface. The application fails to adequately restrict access to the NTLM hash of the Veeam ONE Reporting Service account, allowing authenticated but unprivileged users to retrieve this sensitive information. This represents a violation of the principle of least privilege, where users are able to access credential material that should be restricted to administrative accounts only.
Attack Vector
The attack is network-based and requires the attacker to have authenticated access to the Veeam ONE Web Client with low-privilege credentials. The exploitation flow involves:
- The attacker authenticates to the Veeam ONE Web Client using any valid unprivileged user account
- Through the web interface, the attacker triggers functionality that exposes the NTLM hash of the Reporting Service account
- The attacker captures the NTLM hash for offline cracking or pass-the-hash attacks
- With the obtained credentials, the attacker can potentially escalate privileges or move laterally within the network
The vulnerability does not require any special conditions or user interaction beyond initial authentication, making it straightforward to exploit once access to the web client is obtained. Technical details regarding the specific exploitation mechanism are documented in the Veeam Knowledge Base Article.
Detection Methods for CVE-2023-38548
Indicators of Compromise
- Unusual authentication patterns or access requests to the Veeam ONE Web Client from unexpected user accounts
- Anomalous queries or requests targeting Reporting Service configuration or credential endpoints
- Evidence of NTLM relay attacks or pass-the-hash attempts using the Reporting Service account credentials
- Unexpected access patterns from the Reporting Service account to network resources
Detection Strategies
- Monitor Veeam ONE Web Client access logs for unusual query patterns from low-privilege users
- Implement behavioral analytics to detect abnormal access to sensitive configuration endpoints
- Deploy network monitoring to identify NTLM hash extraction attempts or relay attacks
- Enable Windows Security Event logging to track authentication events related to the Reporting Service account
Monitoring Recommendations
- Configure alerts for any authentication failures or unusual access patterns involving the Veeam ONE Reporting Service account
- Implement real-time monitoring of Veeam ONE application logs for suspicious activity
- Deploy endpoint detection and response (EDR) solutions to monitor for credential theft indicators
- Regularly audit user access to the Veeam ONE Web Client and remove unnecessary privileges
How to Mitigate CVE-2023-38548
Immediate Actions Required
- Update Veeam ONE to the latest patched version as specified in the vendor advisory
- Audit all user accounts with access to the Veeam ONE Web Client and remove unnecessary access
- Review and rotate the credentials for the Veeam ONE Reporting Service account
- Implement network segmentation to limit access to the Veeam ONE Web Client
Patch Information
Veeam has released security updates to address this vulnerability. Administrators should apply the patches documented in the Veeam Knowledge Base Article KB4508. The patch addresses the credential exposure issue by properly restricting access to the NTLM hash of the Reporting Service account.
Organizations should prioritize patching based on their exposure level and the criticality of their Veeam ONE deployment. After patching, it is recommended to rotate the Reporting Service account credentials as a precautionary measure.
Workarounds
- Restrict network access to the Veeam ONE Web Client to only trusted administrative workstations
- Implement additional authentication requirements (MFA) for accessing the Veeam ONE Web Client
- Use a dedicated service account with minimal privileges for the Reporting Service
- Monitor for credential theft attempts while awaiting patch deployment
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
