#1 Global Leader in Data Resilience

Vulnerability Scanner Detection Related to CVE-2023-38545

KB ID: 4523
Product: Veeam Backup & Replication
Veeam Agent for Microsoft Windows
Veeam Agent for Linux
Veeam Cloud Connect
Published: 2023-12-12
Last Modified: 2024-07-01
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Veeam Backup & Replication 12.1.2 Release - Article Update

With the release of Veeam Backup & Replication 12.1.2, the VDDK libraries, which contained the libcurl library, are no longer included with the Veeam Transport package. After upgrading, the Veeam Transport Package on remote components will be updated, and the VDDK Library pack will only be deployed on components where it is needed (VMware Backup Proxies).

Additionally, Veeam Backup & Replication 12.1.2 included an updated VDDK library to address the libcurl (CVE-2023-38545) concern.

Impact: The solution section of this article has now been updated to advise that customers upgrade to the latest version of Veeam Backup & Replication.

Purpose

The information below regarding VDDK library inclusion within the Veeam Transport Service is relevant only to versions of Veeam Backup & Replication older than version 12.1.2 (see notice at the top of this article for more information).

This Veeam KB article was created to address customers' concerns about the detection of libcurl by their security software on machines where the Veeam Transport Service is installed. Libcurl is a component of VMware VDDK (Virtual Disk Development Kit), which Veeam Backup & Replication redistributes to be able to protect VMware vSphere environments. Veeam Backup & Replication includes VDDK with the Veeam Transport Service package, which is deployed on managed machines for data movement purposes. A single Veeam Transport package is used for all situations where any portion of the Veeam Transport Services capabilities would be needed. Therefore, any server with the Veeam Transport Service installed will have VDDK libraries, regardless of whether the machine is part of a VMware vSphere backup infrastructure.

In October of 2023, a vulnerability (CVE-2023-38545) involving curl and libcurl was made public. Full details regarding this vulnerability can be found in the articles listed below.
The crucial takeaway is that this vulnerability involves curl/libcurl and the SOCKS5 proxy handshake process. Therefore, because Veeam Backup & Replication does not use the SOCKS5 protocol for communication between its components nor with any external services, Veeam Backup & Replication is not impacted by this vulnerability.

Impact Statement

Veeam Backup & Replication is not vulnerable to CVE-2023-38545 because Veeam Backup & Replication does not use SOCKS5 protocol.

False Positive Alerts

The information below regarding VDDK library inclusion within the Veeam Transport Service is relevant only to versions of Veeam Backup & Replication older than version 12.1.2 (see notice at the top of this article for more information).

Vulnerability detection software may issue false positive alerts based merely on the fact that the libcurl library file is present on a machine where the Veeam Transport Service has been deployed. Below is a list of component roles where Veeam Backup & Replication deploys the Veeam Transport Service for data movement purposes, meaning that the libcurl file contained in the VDDK libraries will also be found on servers holding these roles:

Solution

The solution is to upgrade to the latest version of Veeam Backup & Replication.

Starting with the release of Veeam Backup & Replication 12.1.2, the VDDK libraries, which contain the libcurl library, are no longer included with the Veeam Transport package. After upgrading, the Veeam Transport Package on remote components will be updated, and the VDDK Library pack will only be deployed on components where it is needed (VMware Backup Proxies).

Additionally, Veeam Backup & Replication 12.1.2 included an updated VDDK library to address the libcurl (CVE-2023-38545) concern.

More Information

Legacy Mitigation Advice
UPGRADE IS RECOMMENDED

The mitigation information below is only relevant to versions of Veeam Backup & Replication older than 12.1.2.

All customers are strongly encouraged to upgrade to the latest version of Veeam Backup & Replication, rather than implement these mitigation methods.

Mitigation Explanation

Mitigation involves the removal of VDDK, which contains the libcurl library, from machines where it is not needed. It is crucial that VDDK not be removed from any machine with a role that requires the capability to communicate with the VMware vSphere environment. 

Roles where VDDK must not be removed as it would impact the ability to communicate with the VMware vSphere environment:

  • Veeam Backup Server
  • VMware Backup Proxy
  • Guest Interaction Proxy
  • CDP Proxy

Please note that the presence of VDDK on any other Veeam components or on protected machines that do not carry the above roles does not represent even a theoretical threat because VDDK is never used or called from the Veeam code on those machines.

VDDK Library Must Remain on VMware Backup Proxies
Do not remove the VDDK libraries from VMware Backup Proxies. Removing the VDDK libraries from a VMware Backup Proxy will cause operations that attempt to use that proxy to communicate with VMware vSphere to fail with the error documented in KB2678.
Veeam Transport Redeployment
If the Veeam Transport package is reinstalled, either manually or as a result of an upgrade, the VDDK libraries will be reinstalled and will have to be removed again.

Implementation of Mitigation

If you have any concerns, upgrade to the latest version of Veeam Backup & Replication.

 

For each machine that your security software has alerted to the presence of the libcurl library:

  1. Review whether the machine is a part of the VMware vSphere backup infrastructure.
    Reference the list of roles within the Mitigation Explanation section above.
  2. If the machine does not carry one of those roles, use the commands below to remove the VDDK libraries that contain the libcurl library.

Linux Machines

To remove the VDDK libraries on a Linux machine, use the following command:

sudo rm -rf /opt/veeam/transport/vddk*

Windows Machines

To remove the VDDK libraries from a Windows machine, use the following commands:

Remove-Item -Recurse -Force "C:\Program Files (x86)\Veeam\Backup Transport\x64\vddk*"
Remove-Item -Recurse -Force "C:\Program Files (x86)\Veeam\Backup Transport\x64\vix"
Remove-Item -Recurse -Force "C:\Program Files (x86)\Veeam\Backup Transport\x86\vix"
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.