Veeam Backup & Replication Vulnerabilities

Closeup side view of person using desktop in dark room, focus on male hands on brightly lit background

Mar 16, 2022 by Taylor Krieg

Veeam recently announced the discovery of significant vulnerabilities in their Veeam Backup and Replication product [CVE-2022-26500, CVE-2022-26501] and Veeam Agent for Microsoft Windows [CVE-2022-26503]. There are patches available.

Vulnerabilities

Veeam Backup & Replication [CVE-2022-26500, CVE-2022-26501]: Allows remote execution of harmful programs without authentication. This could result in gaining control of the target system. This vulnerability permits unauthenticated users to access internal API methods/functions. A remote attacker might provide data to the internal API, which could result in malicious code being uploaded and executed.

  • Severity: Critical
  • CVSS v3 score: 9.8

Veeam Agent for Microsoft Windows [CVE-2022-26503]: With LOCAL SYSTEM rights, an attacker who successfully exploited this vulnerability might run arbitrary code. A local user might submit malicious code to the Veeam Agent for Windows Service network port, which would not be properly deserialized.

  • Severity: High
  • CVSS v3 score: 7.8

Solutions

Temporary mitigation: Stop and disable the Veeam Distribution Service. The Veeam Distribution Service is deployed on the Veeam Backup & Replication server as well as servers in Protection Groups designated as distribution servers.

Patches available for Veeam Backup & Replication versions:

  • 11a [P20220302]
    • NOTE: Confirm you are running Veeam Backup & Replication 11a (build 11.0.1.1261) with or without previous patches before applying this Cumulative Patch via the Patch Installer.
    • If you are running any Veeam Backup & Replication version between 9.5 U4b (9.5.4.2866) and 11 (11.0.0.837 P20210525), you must upgrade to version 11a P20220302.
  • 10a [P20220304]
    • NOTE: Confirm you are running Veeam Backup & Replication 10a before applying this Cumulative Patch using the Patch Installer (builds 10.0.1.4854, 10.0.1.4854 P20201202, or 10.0.1.4854 P20210609).
    • If you are running any Veeam Backup & Replication version between 9.5 U3 (9.5.0.1536) and 10 (10.0.0.4461 P2), you must use the ISO below to upgrade to version 10a P20220304.
      • Veeam Cloud Connect tenants: ensure that your service provider uses version 11 P20210507 or later for their Cloud Connect infrastructure before deploying this patch.
      • Veeam Cloud Connect service providers: this patch cannot be deployed on the Cloud Connect infrastructure servers running version 10a. Please upgrade directly to version 11 instead.

Patches available for Veeam Agent for Microsoft Windows versions:

  • Veeam Agent for Microsoft Windows | 2.0 | 2.1 | 2.2 | 3.0.2 | 4.0 | 5.0
    • The patched release of Veeam Agent for Microsoft Windows must be manually installed on each computer for standalone Veeam Agent deployments.
    • After installing the necessary Veeam Backup & Replication cumulative patches, the update can be performed from the Veeam Backup & Replication Console for Veeam Agent for Microsoft Windows deployments managed by Veeam Backup & Replication.
      • The Veeam Agent for Microsoft Windows deployments will be automatically updated if an Auto-update backup agent is configured. Otherwise, you’ll have to manually initiate the upgrade in the Veeam Backup & Replication panel.
    • NOTE: If you are using a version of Veeam Agent for Microsoft Windows prior to 4, please upgrade to a supported version.

 

If you have any additional questions or concerns, please call 502-240-0404 or send us an email at info@mirazon.com

Press enter to search