Critical Vulnerabilities Discovered in Veeam Products

Veeam annouced patches for critical vulnerabilities impacting their products this weekend. The flaws has been uncovevered by Positive Technologies, a cybersecurity company based in South Korea.
Let’s take a closer look to this vulnerabilities found.

Veeam Availability Suite 11

Critical vulnerabilities impacting Veeam Backup & Replication

Tracked as CVE-2022-26500 and CVE-2022-26501, this flaws allow potential adversaries to remotely execute code without authentication. This may lead to gaining control over the target system. This carries a CVSS rating of 9.8 and is classified as Critical.
Indeed RCE is one of the most dangerous types of flaws. Combined with the fact that no authentication is needed makes this a ripe attack vector for ransomware groups and other cybercriminals.
The cause : The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code.
This vulnerability affect VBR version 9,5, 10 and 11.

Veeam already released patches that resolve the issues. The patches are only available for version 10 & 11. Thus, those still using version 9.5 are advised to migrate to a supported release.

Please find the link to download the patches in this Veeam KB :
Veeam v11
Veeam v10

If you are not able to apply the patch or upgrade your VBR, Veeam has offered instruction on how to temporarily mitigate the risk : « Stop and disable the Veeam Distribution Service”. The Veeam Distribution Service is installed on the Veeam Backup & Replication server and servers specified as distribution servers in Protection Groups »

High vulnerability impacting Veeam Backup & Replication

Another high Vulnerability (CVE-2022-26504) impacted VBR component used for Microsoft System Center Virtual Machine Manager (SCVMM) integration allows domain users to execute malicious code remotely. This may lead to gaining control over the target system. This carries a CVSS rating of 8.8 and is classified as High.
The cause : The vulnerable process Veeam.Backup.PSManager.exe (TCP 8732 by default) allows authentication using non-administrative domain credentials. A remote attacker may use the vulnerable component to execute arbitrary code.

Note : The default Veeam Backup & Replication installation is not vulnerable to this issue. Only Veeam Backup & Replication installations with an SCVMM server registered are vulnerable.
This vulnerability affect VBR version 9,5, 10 and 11.

Veeam already released patches that resolve the issues. The patches are only available for version 10 & 11. Thus, those still using version 9.5 are advised to migrate to a supported release.

Please find the link to download the patches in this Veeam KB :
Veeam v11
Veeam v10

High vulnerability impacting Veeam Agent for Microsoft Windows

Unfortunately, the Veeam Backup & Replication vulnerabilities was not the only vulnerabilities disclosed. There is another high-priority vulnerability affecting the Veeam Agent for Microsoft Windows.
The next CVE-2022-26503 relates to the Veeam Agent, The vulnerability is found in all versions of Veeam Agent for Microsoft Windows and allows local privilege escalation. An attacker who successfully exploits this vulnerability could run arbitrary code with LOCAL SYSTEM privileges. This carries a CVSS rating of 7.8 and is classified as High.

The cause : Veeam Agent for Microsoft Windows uses Microsoft .NET data serialization mechanisms. A local user may send malicious code to the network port opened by Veeam Agent for Windows Service (TCP 9395 by default), which will not be deserialized properly.

This vulnerability is fixed for Veeam Agent version 4 & 5. Thus, those still using old versions are advised to migrate to a supported release.

Please find the link to download the patches in this Veeam KB :
Veeam Agent v5 (build 5.0.3.4708)
Veeam Agent v4 (build 4.0.2.2208)

Keep in mind the following guidance from Veeam on remediating your Veeam Agents:
• For standalone Veeam Agent for Microsoft Windows deployments, the patched release must be installed manually on each machine.
• For Veeam Agent for Microsoft Windows deployments managed by Veeam Backup & Replication, the update can be performed from the Veeam Backup & Replication Console after installing the corresponding Veeam Backup & Replication cumulative patches ( 10a | 11a ).
If a Auto-update backup agent is enabled, the Veeam Agent for Microsoft Windows deployments will be updated automatically. Otherwise, the update must be manually triggered in the Veeam Backup & Replication console
Unfortunately, there is no workaround for the Veeam Agent as there is with the Veeam Backup & Replication critical vulnerability. You will have to prioritize getting the Veeam Agent upgraded on all affected Veeam Agent clients to remediate the vulnerability

I encourage you to apply as quickly as possible the fixes to keep your backups environnement safe & secure. Ransomware groups might show an interest in this CVEs.
Keep in mind your backups are your last defense in case of loss of your datas.

Veeam References :


Philippe DUPUIS

I ‘m a french Data Management and Security Engineer. I specialize in data protection and governance, disaster recovery, security, cloud & virtualization technologies. Certified Netwrix Auditor & Classification, F-Secure Radar, Rapid7, Exagrid ...
Please follow and like us:
Advertisement

Leave a Reply

error

Enjoy this blog? Please spread the word :)