Veeam, a provider of data backup and recovery software, has patched a critical vulnerability that could allow an unauthenticated attacker access to the Veeam Backup Enterprise Manager (VBEM) web console.
The company released a fixed version of its Veeam Backup & Replication solution on Tuesday, which resolves four bugs including the critical flaw and two high severity security vulnerabilities that can also lead to VBEM account compromise.
Veeam customers should update their Backup & Replication instances to version 12.1.2.172 to resolve the issues.
The most severe vulnerability, tracked as CVE-2024-29849, has a critical CVSS score of 9.8 and “allows an unauthenticated attacker to log in to the VBEM web interface as any user.”
VBEM is an optional, supplementary application that is not installed by default, Veeam’s security advisory noted. The application gives customers access to a web console to remotely manage multiple Veeam Backup & Replication instances.
For users who cannot immediately patch to version 12.1.2.172, Veeam recommended halting use of VBEM by stopping and disabling the services VeeamEnterpriseManagerSvc and the Veeam RESTful API Service, or VeeamRESTSvc. Users should not disable the separate Veeam Backup Server RESTful API Service, the advisory stated.
The advisory also said the updated VBEM application is compatible with older versions of the main Backup & Replication software, and thus VBEM can be updated to 12.1.2.172 without the need to update the main software if VBEM is installed on a dedicated server.
VBEM should also be uninstalled if it is not in use, according to Veeam.
The other two high-severity VBEM vulnerabilities patched in the latest update are tracked as CVE-2024-29850 and CVE-2024-29851. The former has a CVSS score of 8.8 and allows account takeover via NTLM (new technology LAN manager) relay, while the latter has a CVSS score of 7.2 and “allows a high-privileged user to steal the NTLM hash of the VBEM service account” if the service account is not a default Local System account, according to the advisory.
Veeam Backup & Replication, which enables customers to backup data from physical, virtual and cloud environments, has been a target for ransomware gangs and other threat actors in the past; last year, Veeam Backup & Replication instances vulnerable to a flaw tracked as CVE-2023-27532 were targeted by the FIN7 hacking group to drop the Diceloader/Lizar backdoor.
In May 2023, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center issued an advisory warning healthcare organizations about increasing cyberattacks targeting CVE-2023-27532, which enables the theft of encrypted credentials from a server’s configuration database.
Additionally, two Veeam Backup & Replication vulnerabilities tracked as CVE-2022-26500 and CVE-2022-26501, which could enable arbitrary code execution and system takeover, were added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog in December 2022.
