Veeam recently announced the discovery of significant vulnerabilities in their Veeam Backup and Replication product [CVE-2022-26500, CVE-2022-26501] and Veeam Agent for Microsoft Windows [CVE-2022-26503]. There are patches available.

Vulnerabilities

Veeam Backup & Replication [CVE-2022-26500, CVE-2022-26501]: Allows remote execution of harmful programs without authentication. This could result in gaining control of the target system. This vulnerability permits unauthenticated users to access internal API methods/functions. A remote attacker might provide data to the internal API, which could result in malicious code being uploaded and executed.

  • Severity: Critical
  • CVSS v3 score: 9.8

Veeam Agent for Microsoft Windows [CVE-2022-26503]: With LOCAL SYSTEM rights, an attacker who successfully exploited this vulnerability might run arbitrary code. A local user might submit malicious code to the Veeam Agent for Windows Service network port, which would not be properly deserialized.

  • Severity: High
  • CVSS v3 score: 7.8

Solutions

Temporary mitigation: Stop and disable the Veeam Distribution Service. The Veeam Distribution Service is deployed on the Veeam Backup & Replication server as well as servers in Protection Groups designated as distribution servers.

Patches available for Veeam Backup & Replication versions:

  • 11a [P20220302]
    • NOTE: Confirm you are running Veeam Backup & Replication 11a (build 11.0.1.1261) with or without previous patches before applying this Cumulative Patch via the Patch Installer.
    • If you are running any Veeam Backup & Replication version between 9.5 U4b (9.5.4.2866) and 11 (11.0.0.837 P20210525), you must upgrade to version 11a P20220302.
  • 10a [P20220304]
    • NOTE: Confirm you are running Veeam Backup & Replication 10a before applying this Cumulative Patch using the Patch Installer (builds 10.0.1.4854, 10.0.1.4854 P20201202, or 10.0.1.4854 P20210609).
    • If you are running any Veeam Backup & Replication version between 9.5 U3 (9.5.0.1536) and 10 (10.0.0.4461 P2), you must use the ISO below to upgrade to version 10a P20220304.
      • Veeam Cloud Connect tenants: ensure that your service provider uses version 11 P20210507 or later for their Cloud Connect infrastructure before deploying this patch.
      • Veeam Cloud Connect service providers: this patch cannot be deployed on the Cloud Connect infrastructure servers running version 10a. Please upgrade directly to version 11 instead.

Patches available for Veeam Agent for Microsoft Windows versions:

  • Veeam Agent for Microsoft Windows | 2.0 | 2.1 | 2.2 | 3.0.2 | 4.0 | 5.0
    • The patched release of Veeam Agent for Microsoft Windows must be manually installed on each computer for standalone Veeam Agent deployments.
    • After installing the necessary Veeam Backup & Replication cumulative patches, the update can be performed from the Veeam Backup & Replication Console for Veeam Agent for Microsoft Windows deployments managed by Veeam Backup & Replication.
      • The Veeam Agent for Microsoft Windows deployments will be automatically updated if an Auto-update backup agent is configured. Otherwise, you’ll have to manually initiate the upgrade in the Veeam Backup & Replication panel.
    • NOTE: If you are using a version of Veeam Agent for Microsoft Windows prior to 4, please upgrade to a supported version.

 

If you have any additional questions or concerns, please call 502-240-0404 or send us an email at info@mirazon.com