Last week, Veeam released a new version of its Veeam Agent for Microsoft Windows to address an important vulnerability in the product.

About the vulnerability

This vulnerability in Veeam Agent for Microsoft Windows (CVE-2022-26503) allows for elevation of privileges. An attacker who successfully exploited this vulnerability could run arbitrary code with LOCAL SYSTEM privileges.

Veeam Agent for Microsoft Windows uses Microsoft .NET data serialization mechanisms. A local user may send malicious code to the network port opened by Veeam Agent for Windows Service (listening on TCP 9395 by default), which will not be deserialized properly.

The vulnerability was reported by Nikita Petrov (Positive Technologies) and rated with a CVSS v3 score of 7.8.

Affected products

The following products are affected:

• Veeam Agent for Microsoft Windows 2.0
• Veeam Agent for Microsoft Windows 2.1
• Veeam Agent for Microsoft Windows 2.2
• Veeam Agent for Microsoft Windows 3.0.2
• Veeam Agent for Microsoft Windows 4.0
• Veeam Agent for Microsoft Windows 5.0

Updates

Veeam released two new versions of its Veeam Backup Agent for Microsoft Windows product:

• Veeam Agent for Microsoft Windows v4.0.2.2208
• Veeam Agent for Microsoft Windows v5.0.3.4708

The above vulnerability is addressed in these versions.

Updating

If you are using a version of Veeam Agent for Microsoft Windows prior to v4, please upgrade to a supported version.

For standalone Veeam Agent for Microsoft Windows deployments, the patched release must be installed manually on each machine.

For Veeam Agent for Microsoft Windows deployments managed by Veeam Backup & Replication, the update can be performed from the Veeam Backup & Replication Console after installing the Veeam Backup & Replication cumulative patches for v10a or for v11a. If an Auto-update backup agent task is enabled, the Veeam Agent for Microsoft Windows deployments will be updated automatically. Otherwise, the update must be manually triggered in the Veeam Backup & Replication console.

Concluding

Install the updates for your respective version of Veeam Agent for Windows on your installations. As these vulnerability is rated Important, expedite patching your infrastructure to avoid compromise of your environment.

From my experience, many people use Veeam Agent for Microsoft Windows as the solution to back up endpoints and individual physical servers. Without the proper tooling, old and vulnerable versions of software may linger in these implementations. That is not something to look forward to…