A Critical Remote Code Execution vulnerability in Veeam Backup for Azure was automatically addressed

Reading Time: 2 minutes

Last week, Veeam identified a critical vulnerability in a component of its Backup for Microsoft Azure solution, that allows attackers to bypass authentication mechanisms and execute arbitrary code.

 

About Veeam Backup for Microsoft Azure

Veeam Backup for Microsoft Azure is a solution offered by Veeam to backup and restore Azure IaaS-based virtual machines and Azure SQL databases. The solution offers instance, volume and file-level recovery options.

The solution is available as a virtual machine instance from the Azure marketplace that stores snapshots in Azure blob storage tiers and offers a web-based management portal.

 

About the vulnerability

The Veeam Updater component of Veeam Backup for Microsoft Azure contains a critical vulnerability that allows attackers to bypass authentication mechanisms and execute arbitrary code.

Veeam has released a new version of the Veeam Updater component in Veeam Backup for Microsoft Azure. The vulnerability is addressed in version 5.0.0.633, and up. This version resolves the discovered vulnerability in Veeam Backup for Microsoft Azure.

The vulnerability was found during internal testing at Veeam. Veeam has assigned a CVSS v3 score of 10.0 to this vulnerability.

Affected products

The vulnerability was present in the Veeam Updater component in the following products:

  • Veeam Backup for Microsoft Azure 2.0
  • Veeam Backup for Microsoft Azure 3.0

 

Call to Action

Since January 6th, 2022, The Veeam Updater component will have automatically installed this fix during its daily check for updates and automatically resolved the vulnerability for implementations that are able to communicate to https://repository.veeam.com.

If the Veeam Backup for Microsoft Azure virtual machine instance does not have internet access, a manual update process is available. Please contact Veeam Support for assistance.

Further reading

KB4261: Veeam Backup for Microsoft Azure – Updater Component Vulnerability
Veeam Backup for Microsoft Azure – Updater Component Vulnerability
Native Azure Backup Software – Veeam Backup for Microsoft Azure

Posted on January 10, 2022 by Sander Berkouwer in Azure, Security Updates, Veeam, Veeam Vanguard

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.