Subscribe to NetSec News
Cyrus Robinson
The Veeam Distribution Service installed on Veeam Backup & Replication servers runs on TCP 9380 with default settings, and allows unauthenticated users to access internal API functions. This may allow a remote attacker to send input to the internal API which could lead to uploading and execution of malicious code.
Further, a vulnerability (CVE-2022-26504) exists in a component of Veeam Backup & Replication that is used for Microsoft System Center Virtual Machine Manager (SCVMM) integration. Authentication using non-administrative domain credentials is allowed via the Veeam.Backup.PSManager.exe process using default settings on TCP 8732.
Note: Only Veeam Backup & Replication installations with an SCVMM server registered are vulnerable to CVE-2022-26504. Default installations would not be affected; however, until they’re patched, they remain subject to the other two listed CVEs.
The vulnerabilities were reported by Nikita Petrov (Positive Technologies).
Affected Software / System
This advisory specifically applies to the following products:
- Veeam Backup & Replication v9.5
- Veeam Backup & Replication v10
- Veeam Backup & Replication v11
CVE (if applicable)
- CVE-2022-26500
- CVE-2022-26501
- CVE-2022-26504
Type
Veeam Distribution Service Remote Code Execution
Exploit Status:
Unknown. No known POCs are available yet, but weaponization is anticipated soon.
Rating
CVE-2022-26500 & CVE-2022-26501
Severity: Critical
CVSS v3 score: 9.8
CVE-2022-26504
Severity: Important/High
CVSS v3 score: 8.8
Impact
Vulnerabilities CVE-2022-26500 and CVE-2022-26501 in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system.
Vulnerability CVE-2022-26504 allows for authentication using non-administrative domain credentials. This vulnerability allows malicious domain users to remotely execute arbitrary code and may lead to gaining control over the target system.
Once a targeted system is compromised, there is a high risk of an organization's infrastructure backups being corrupted and/or ransomed, as well as a risk of lateral movement by the threat actor.
In general, Ingalls highly discourages organizations from exposing Veeam servers to the Internet. If these servers are web-exposed, these vulnerabilities can be leveraged for lateral movement, privilege escalation, data exfiltration, and to establish persistence post-compromise.
Temporary Mitigation
Disable the Veeam Distribution Service: The most secure mitigation option is for organizations to disable the Distribution Service on the Backup & Replication server (and any specified as distribution servers in Protection Groups) until it can be patched. However, this may not be possible or appropriate in all environments.
Mitigation/Workaround Impact: Disabling the Distribution Service prevents the Veeam architecture from uploading the Veeam Agent setup file, preventing automated agent deployment.
Ingalls recommends the following actions:
Veeam has released two new versions of Veeam Backup & Replication to address all three of these vulnerabilities. It is recommended that the latest version respective of your installations be installed immediately on the Veeam Backup & Replication server. Managed servers with Veeam Distribution Service will be updated automatically after installing the patch.
VEEAM BACKUP & REPLICATION V9.5
Veeam Backup & Replication v9.5 is currently unsupported. If you are running Veeam Backup & Replication v9.5 U4b v9.5.4.2866 use the ISO to upgrade to Veeam Backup & Replication v11a 11.0.1.1261 P20220302.
VEEAM BACKUP & REPLICATION V10
Veeam Backup & Replication v10a v10.0.1.4854 P20220304 addresses the above three vulnerabilities when you install it on the Veeam Backup & Replication Server.
This patch can be installed on Veeam Backup & Replication installations running v10.0.1.4854. When running a previous version of Veeam Backup & Replication, update to version 10a (10.0.1.4854) before installing the patch.
Note: Installing the patch to address these three vulnerabilities will prevent upgrades to Veeam Backup & Replication v11 and will only be compatible with an upgrade to Veeam Backup & Replication v11a.
Note: Veeam Cloud Connect service providers running Veeam Backup & Replication v10a need to upgrade directly to version 11 instead.
VEEAM BACKUP & REPLICATION V11
Veeam Backup & Replication v11a 11.0.1.1261 P20220302 addresses the above three vulnerabilities when you install it on the Veeam Backup & Replication Server.
This patch can be installed on Veeam Backup & Replication installations running v11.0.1.1261. When running a previous version of Veeam Backup & Replication, update to version 10a (10.0.1.4854) before installing the patch.
Ingalls is dedicated to protecting your network and your information by providing defense-in-depth security through your Managed Detection & Response (MDR) service. As an added layer of defense, Ingalls now offers monitoring and support by a team of live Security Analysts in our Security Operations Center (SOC) 24 hours a day, every day of the year. ‘Round the clock, MDR provides extended coverage with continuous analysis, response and escalation so you can have the peace of mind that comes from knowing your network is being monitored in real-time even if your business hours have stopped. Please contact us for more information.
