Veeam recently announced the discovery of significant vulnerabilities in their Veeam Backup and Replication product [CVE-2022-26500, CVE-2022-26501] and Veeam Agent for Microsoft Windows [CVE-2022-26503]. There are patches available.
Vulnerabilities
Veeam Backup & Replication [CVE-2022-26500, CVE-2022-26501]: Allows remote execution of harmful programs without authentication. This could result in gaining control of the target system. This vulnerability permits unauthenticated users to access internal API methods/functions. A remote attacker might provide data to the internal API, which could result in malicious code being uploaded and executed.
- Severity: Critical
- CVSS v3 score: 9.8
Veeam Agent for Microsoft Windows [CVE-2022-26503]: With LOCAL SYSTEM rights, an attacker who successfully exploited this vulnerability might run arbitrary code. A local user might submit malicious code to the Veeam Agent for Windows Service network port, which would not be properly deserialized.
- Severity: High
- CVSS v3 score: 7.8
Solutions
Temporary mitigation: Stop and disable the Veeam Distribution Service. The Veeam Distribution Service is deployed on the Veeam Backup & Replication server as well as servers in Protection Groups designated as distribution servers.
Patches available for Veeam Backup & Replication versions:
- 11a [P20220302]
- NOTE: Confirm you are running Veeam Backup & Replication 11a (build 11.0.1.1261) with or without previous patches before applying this Cumulative Patch via the Patch Installer.
- If you are running any Veeam Backup & Replication version between 9.5 U4b (9.5.4.2866) and 11 (11.0.0.837 P20210525), you must upgrade to version 11a P20220302.
- 10a [P20220304]
- NOTE: Confirm you are running Veeam Backup & Replication 10a before applying this Cumulative Patch using the Patch Installer (builds 10.0.1.4854, 10.0.1.4854 P20201202, or 10.0.1.4854 P20210609).
- If you are running any Veeam Backup & Replication version between 9.5 U3 (9.5.0.1536) and 10 (10.0.0.4461 P2), you must use the ISO below to upgrade to version 10a P20220304.
- Veeam Cloud Connect tenants: ensure that your service provider uses version 11 P20210507 or later for their Cloud Connect infrastructure before deploying this patch.
- Veeam Cloud Connect service providers: this patch cannot be deployed on the Cloud Connect infrastructure servers running version 10a. Please upgrade directly to version 11 instead.
Patches available for Veeam Agent for Microsoft Windows versions:
- Veeam Agent for Microsoft Windows | 2.0 | 2.1 | 2.2 | 3.0.2 | 4.0 | 5.0
- The patched release of Veeam Agent for Microsoft Windows must be manually installed on each computer for standalone Veeam Agent deployments.
- After installing the necessary Veeam Backup & Replication cumulative patches, the update can be performed from the Veeam Backup & Replication Console for Veeam Agent for Microsoft Windows deployments managed by Veeam Backup & Replication.
- The Veeam Agent for Microsoft Windows deployments will be automatically updated if an Auto-update backup agent is configured. Otherwise, you’ll have to manually initiate the upgrade in the Veeam Backup & Replication panel.
- NOTE: If you are using a version of Veeam Agent for Microsoft Windows prior to 4, please upgrade to a supported version.