Four vulnerabilities in Veeam Backup Enterprise Manager were addressed in v12.1.2.172

Reading Time: 2 minutes

Last week, Veeam addressed several vulnerabilities in components of its Backup Enterprise Manager, that allows attackers to bypass authentication mechanisms and execute arbitrary code.

 

About Veeam Backup Enterprise Manager

Veeam Backup Enterprise Manager is a supplementary management and reporting application that allows admins to manage multiple Veeam Backup & Replication (VBR) installations from a single web console. With a number of Veeam Backup & Replication instances installed on different servers, Veeam Backup Enterprise Manager acts as a single management point. It allows admins to:

  • control license distribution,
  • manage backup jobs across the backup infrastructure,
  • analyze operation statistics of Veeam backup servers,
  • perform restore operations.

 

About the vulnerabilities

Veeam Backup Enterprise Manager v12.1.2.172, released on May 21st, 2024, addresses four vulnerabilities:

 

CVE-2024-29849

Severity: Critical
CVSS v3.1 Score: 

This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.

 

CVE-2024-29850

Severity: High
CVSS v3.1 Score: 

This Vulnerability in Veeam Backup Enterprise Manager allows account takeover via NTLM relay.

 

CVE-2024-29851

Severity: High
CVSS v3.1 Score: 

This vulnerability in Veeam Backup Enterprise Manager allows a high-privileged user to steal the NTLM hash of the Veeam Backup Enterprise Manager service account if that service account is anything other than the default Local System account.

 

CVE-2024-29852

Severity: Low
CVSS v3.1 Score: 

This vulnerability in Veeam Backup Enterprise Manager allows high-privileged users to read backup session logs.

 

Call to Action

The above vulnerabilities were addressed in Veeam Backup Enterprise Manager v12.1.2.172. For installations running v12.1.0.2132, an Updater is available. Older installations of Veeam Backup Enterprise Manager (starting with version 10.0.1.4854) can be upgraded using the ISO and the Upgrade Checklist.

Veeam Backup Enterprise Manager is a supplementary application. If it is not deployed in your environment, that environment would not be impacted by the above vulnerabilities.

Further reading

KB4510: Release Information for Veeam Backup & Replication 12.1 and Updates
KB4581: Veeam Backup Enterprise Manager Vulnerabilities

Related blogposts

A Critical Remote Code Execution vulnerability in Veeam Backup for Azure was automatically addressed
A Critical Vulnerability in Veeam Backup for Google Cloud was automatically addressed (CVE-2022-43549)

Author: Sander Berkouwer

Sander Berkouwer is the author of the Active Directory Administration Cookbook, speaker and blogger at DirTeam.com and ServerCore.net. He is awarded Microsoft MVP, Veeam Vanguard and VMware vExpert. Since 2009, Microsoft has awarded Sander with the Most Valuable Professional (MVP) award. Since 2016, Veeam has awarded Sander with the Veeam Vanguard award.