Veeam addressed three remote code execution vulnerabilities in Veeam Backup & Replication (CVE-2022-26500, CVE-2022-26501, CVE-2022-26504)

Last week, Veeam released two new versions of Veeam Backup & Replication (VBR) to address three vulnerabilities in the product. Two of these vulnerabilities exist in the Veeam Distribution Service and are classified as critical with CVSS v3 scores of 9.8. Another one exists in an optional component and is rated as important with a CVSS v3 score of 8.8.

About the vulnerabilities

Three vulnerabilities were addressed:

CVE-2022-26500 Remote Code Execution vulnerability in Veeam Distribution Service

A vulnerability (CVE-2022-26500) exists in the Veeam Distribution Service. This component allows executing malicious code remotely without authentication. This may lead to gaining control over the target system.

The Veeam Distribution Service, using TCP 9380 with default settings, allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code.

This vulnerability is assigned CVE-2022-26500 and rated as Critical with a CVSS v3 score of 9.8. The vulnerability was reported by Positive Technologies.

CVE-2022-26501 Remote Code Execution vulnerability in Veeam Distribution Service

A vulnerability (CVE-2022-26501) exists in the Veeam Distribution Service. This component allows executing malicious code remotely without authentication. This may lead to gaining control over the target system.

The Veeam Distribution Service, using TCP 9380 with default settings, allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code.

This vulnerability is assigned CVE-2022-26500 and rated as Critical with a CVSS v3 score of 9.8. The vulnerability was reported by Positive Technologies.

CVE-2022-26504 Remote Code Execution vulnerability in Veeam.Backup.PSManager

A vulnerability (CVE-2022-26504) exists in Veeam Backup & Replication’s component that is used for Microsoft System Center Virtual Machine Manager (SCVMM)’s integration. This vulnerability allows malicious domain users to execute malicious code remotely. This may lead to gaining control over the target system.

This vulnerability is assigned CVE-2022-26504 and rated as Important/High with a CVSS v3 score of 8.8.

The Veeam.Backup.PSManager.exe process, using TCP 8732 with default settings, allows authentication using non-administrative domain credentials. A remote attacker may use the vulnerable component to execute arbitrary code.

Note:
Default Veeam Backup & Replication installations are not vulnerable to CVE-2022-26504. Only Veeam Backup & Replication installations with an SCVMM server registered are vulnerable.

Affected products

The following products are affected:

  • Veeam Backup & Replication v9.5
  • Veaam Backup & Replication v10
  • Veeam Backup & Replication v11

Updates

Veeam has released two new versions of Veeam Backup & Replication to address the above vulnerabilities:

Veeam Backup & Replication v9.5

If you are running Veeam Backup & Replication v9.5 U4b v9.5.4.2866 use the ISO to upgrade to Veeam Backup & Replication v11a 11.0.1.1261 P20220302.

Veaam Backup & Replication v10

Veaam Backup & Replication v10a v10.0.1.4854 P20220304 addresses the above three vulnerabilities when you install it on the Veeam Backup & Replication Server.

This patch can be installed on Veeam Backup & Replication installations running v10.0.1.4854. When running a previous version of Veeam Backup & Replication, update to version 10a (10.0.1.4854) before installing the patch.

Note:
Installing the patch to address these three vulnerabilities will prevent upgrades to Veeam Backup & Replication v11 and will only be compatible with an upgrade to Veeam Backup & Replication v11a.

Note:
Veeam Cloud Connect service providers running Veeam Backup & Replication v10a need to upgrade directly to version 11 instead.

Veeam Backup & Replication v11

Veeam Backup & Replication v11a 11.0.1.1261 P20220302 addresses the above three vulnerabilities when you install it on the Veeam Backup & Replication Server.

This patch can be installed on Veeam Backup & Replication installations running v11.0.1.1261. When running a previous version of Veeam Backup & Replication, update to version 10a (10.0.1.4854) before installing the patch.

Concluding

Install the updates for your respective version of Veeam Backup & Replication on your installations. As these vulnerabilities are rated Critical and Important, expedite patching your infrastructure to avoid compromise of your backup infrastructure and your organization’s ability to restore information.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.