Hey Check your logs fans,
Today, we will work on new vulnerabilities on some of our Veeam VBR/Veeam One/VBO – Servers. When the product is installed, some .net core dependencies get installed. Like anything on our application servers, these are vulnerable to exploitation and must be serviced. Unfortunately, this one doesn’t automatically get services via Windows updates by default.
Along with the CVE that needs to be remediated, we also noticed that we had end-of-support versions of .Net on these servers. Multiple Versions of .Net can exist on the same application server simultaneously and are left for backward compatibility. I’m going to make a big assumption here that if the later version 6. x is installed on this server and they still have version 3. x, we likely don’t need 3. x anymore.
It has been flagged in Defender Endpoint Vulnerability scans and poses an issue for upcoming Cyber Insurance Audits.
So, along with remedying the CVE, we will also work through uninstalling and testing the removal of the older version of .net and .net core.
The CVE we will address in this blog post is CVE-2023-36558, which deals with updating ASP.Net Core.
From Microsoft – Update Asp.net Core to a later version to mitigate two known vulnerabilities affecting your devices. Doing so can help lessen your organization’s security risk due to versions that have reached their end-of-support.
Running end-of-support software can result in significant issues if there is a cyber-attack and your cyber insurance is engaged. Many policies have riders against running EOS (end-of-support) hardware and software. So, let’s not have that problem, ok.
Here is some information from CISA – https://nvd.nist.gov/vuln/detail/CVE-2023-36558
Here is some information from Microsoft – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36558
What kind of security feature could be bypassed by successfully exploiting this vulnerability?
An unauthenticated attacker could bypass validations on Blazor Server forms.
How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then trigger an event that could exploit the vulnerability to save an invalid state to a database or trigger other unintended actions, depending on what functionality the form provides.
So interestingly enough we are using quite old versions of .Net and .Net Core and .Net Runtime.
This server has been upgraded with server versions of Veeam over the years. We might have some remnants on here that might not have been uninstalled during the upgrade.
We are going to try patching Version 6 to see if that breaks anything and if the Vulnerability goes away in the Defender Endpoint Vulnerability Scans.
Above are the two links Microsoft is recommending for the security updates to .Net 6.x
First, install the Microsoft .Net Runtime – 6.0.25 (x64) Installer.
Next install the Microsoft ASP.Net Core 6.0.25 – Shared Framework (x64) Setup
We can see the version have been updated.
Now let’s try and launch our Veeam Console and see if we have issues.
Now for Version 3.x this is End of Support – I’m going to try uninstalling this and see what happens.
What I would like to reinforce here is that Cyber Security requires us to sometime think outside the box to defend against all threats.
If this had broken the application server in this case a Veeam Console Server I would have just restored it and gone back to the drawing board.
But everything seems to be working fine so far.
I’ll keep you posted à With this, at least EOS software is gone, and .Net Versions are patched up.
Thanks,
Dave Kawula
Veeam Vanguard / Microsoft MVP
