Hey Check Your Logs Fans,
Recently, Microsoft Defender Endpoint has identified a bunch of CVEs related to Microsoft ODBC, which is installed on Veeam VBR and Console Servers.
These need to be updated, and this post serves as a process to fix the following CVE’s:
With good cyber security hygiene on application servers such as these Veeam servers, we need to ensure application components stay up to date.
Usually, when I start with a lot of CVEs exposed like this, I will always move to the most current one because it will likely have a solution to fix the older ones automatically.
So, starting with CVE-2023-36730 – This one is serious—Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability.
Microsoft Recommendation is to Update Microsoft ODBC.
They are suggesting we go to a later version to mitigate vulnerabilities.
But what version? Let’s see what is currently installed.
We can go to the Version Distribution Tab, and we can see that several versions are running on these two servers.
As mentioned in the previous blog post, I’m not a fan of leaving behind old versions even if there are no current vulnerabilities.
So, we will update Version 17.4.1.1 and remove the older versions.
The older versions are there because these servers have been running Veeam Version 10, 11, and 12 and had an OS Upgrade along the way.
So the application server’s Host OS has been around for a while and hasn’t even been cleaned up along the way.
This is a crucial part of application server management, especially with the current state of cyber security worldwide.
Don’t just trust an upgraded UI to clean up old bits. Especially in the case of Veeam Console Servers, I’m a massive fan of wipe re-load on newer versions because it is so easy to transfer the configuration DB and settings with Veeam.
Always start fresh and clean, and you won’t end up in this situation.
Ok, so how do we deal with 17.4.1.1 on these servers??
Here is a link from Microsoft Learn on the latest version:
We will try taking this Veeam Server up to Version 18.3.2 and see what happens.
Ok let’s run the installer it is just a next next finish for this example.
Here is my issue à with the upgrades of Veeam we haven’t ever removed old dependencies.
We will get rid of ODBC 13 and 17 in this case.
Go for it uninstall it see what happens
As it turns out, we are fine here. Veeam Console loaded up without issues, and now we are on a much more secure platform.
All those CVE’s are fixed.
Thanks,
Dave Kawula
Veeam Vanguard / Microsoft MVP