Operational Defect Database
BugZero found this defect 160 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Veeam | kb4523
Vulnerability Scanner Detection Related to CVE-2023-38545
Last update date:
12/12/2023
Affected products:
Veeam Backup & Replication
Veeam Agent for Microsoft Windows
Veeam Agent for Linux
Veeam Cloud Connect
Affected releases:
ALL
Fixed releases:
No fixed releases provided.
Description:
Purpose
This Veeam KB article was created to address customers' concerns about the detection of libcurl by their security software on machines where the Veeam Transport Service is installed. Libcurl is a component of VMware VDDK (Virtual Disk Development Kit), which Veeam Backup & Replication redistributes to be able to protect VMware vSphere environments. Veeam Backup & Replication includes VDDK with the Veeam Transport Service package, which is deployed on managed machines for data movement purposes. A single Veeam Transport package is used for all situations where any portion of the Veeam Transport Services capabilities would be needed. Therefore, any server with the Veeam Transport Service installed will have VDDK libraries, regardless of whether the machine is part of a VMware vSphere backup infrastructure.
Impact Statement
Veeam Backup & Replication is not vulnerable to CVE-2023-38545 because Veeam Backup & Replication does not use SOCKS5 protocol.
False Positive Alert Mitigation
Mitigation Explanation Mitigation involves the removal of VDDK, which contains the libcurl library, from machines where it is not needed. It is crucial that VDDK not be removed from any machine with a role that requires the capability to communicate with the VMware vSphere environment. Roles where VDDK must not be removed as it would impact the ability to communicate with the VMware vSphere environment: Veeam Backup Server VMware Backup Proxy Guest Interaction Proxy CDP Proxy Please note that the presence of VDDK on any other Veeam components or on protected machines that do not carry the above roles does not represent even a theoretical threat because VDDK is never used or called from the Veeam code on those machines.
More Information
Veeam plans to update VDDK versions to the ones with a non-vulnerable version of libcurl once the updated VDDK versions are made available by the VDDK supplier (VMware).
