Last week, Veeam addressed several vulnerabilities in components of its Backup Enterprise Manager, that allows attackers to bypass authentication mechanisms and execute arbitrary code.
About Veeam Backup Enterprise Manager
Veeam Backup Enterprise Manager is a supplementary management and reporting application that allows admins to manage multiple Veeam Backup & Replication (VBR) installations from a single web console. With a number of Veeam Backup & Replication instances installed on different servers, Veeam Backup Enterprise Manager acts as a single management point. It allows admins to:
- control license distribution,
- manage backup jobs across the backup infrastructure,
- analyze operation statistics of Veeam backup servers,
- perform restore operations.
About the vulnerabilities
Veeam Backup Enterprise Manager v12.1.2.172, released on May 21st, 2024, addresses four vulnerabilities:
CVE-2024-29849
Severity: Critical
CVSS v3.1 Score: 9.8
This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.
CVE-2024-29850
Severity: High
CVSS v3.1 Score: 8.8
This Vulnerability in Veeam Backup Enterprise Manager allows account takeover via NTLM relay.
CVE-2024-29851
Severity: High
CVSS v3.1 Score: 7.2
This vulnerability in Veeam Backup Enterprise Manager allows a high-privileged user to steal the NTLM hash of the Veeam Backup Enterprise Manager service account if that service account is anything other than the default Local System account.
CVE-2024-29852
Severity: Low
CVSS v3.1 Score: 2.7
This vulnerability in Veeam Backup Enterprise Manager allows high-privileged users to read backup session logs.
Call to Action
The above vulnerabilities were addressed in Veeam Backup Enterprise Manager v12.1.2.172. For installations running v12.1.0.2132, an Updater is available. Older installations of Veeam Backup Enterprise Manager (starting with version 10.0.1.4854) can be upgraded using the ISO and the Upgrade Checklist.
Veeam Backup Enterprise Manager is a supplementary application. If it is not deployed in your environment, that environment would not be impacted by the above vulnerabilities.
Further reading
KB4510: Release Information for Veeam Backup & Replication 12.1 and Updates
KB4581: Veeam Backup Enterprise Manager Vulnerabilities
Related blogposts
A Critical Remote Code Execution vulnerability in Veeam Backup for Azure was automatically addressed
A Critical Vulnerability in Veeam Backup for Google Cloud was automatically addressed (CVE-2022-43549)
Login