Last week, Veeam identified a critical vulnerability in a component of its Backup for Google Cloud solution, that allows attackers to bypass authentication mechanisms and execute arbitrary code.
About Veeam Backup for Google
Veeam Backup for Google Cloud is a solution offered by Veeam to backup and restore Google Computer Engine instances, their persistent disks, Cloud SQL MySQL databases and cloud storage. Veeam does not use agents to back up Google Cloud but instead uses temporary instances, called workers, that are deployed only for the time they’re needed.
The solution is available as an instance from the Google Cloud marketplace that offers a web-based management portal.
About the vulnerability
The Backup Appliance component of Veeam Backup for Google Cloud contains a critical vulnerability that allows attackers to bypass authentication mechanisms.
The vulnerability has been automatically addressed by Veeam. For most organizations, no actions will be needed, as the Veeam Updater component will have automatically installed this fix during its daily check for updates.
After the fix has been installed, the Backup Appliance will be restarted automatically.
The vulnerability was found during internal testing at Veeam. Veeam has assigned a CVSS v3 score of 10.0 to this vulnerability.
The vulnerability is present in the Backup Appliance component in the following products:
- Veeam Backup for Google Cloud v1.0
- Veeam Backup for Google Cloud v3.0
Call to Action
Since November 8th, 2022, The Veeam Updater component will have automatically installed this fix during its daily check for updates and automatically resolved the vulnerability for implementations that are able to communicate to https://repository.veeam.com.
If the Veeam Backup for Google Cloud Backup Appliance does not have internet access, a manual update process is available.
To check whether the Backup Appliance, check the version of the Veeam Updater component. Its version should be 220.127.116.114, or up.