Find Vulnerable Veeam Agent for Microsoft Windows Installations
Veeam disclosed a new vulnerability for its Windows agent, CVE-2022-26503. This vulnerability allows for local privilege escalation using the Veeam Windows agent. A local user may send malicious code to the network port opened by the Veeam Agent Service (TCP 9395 by default), which will not be deserialized properly.
Veeam has released new patches, so you should update your installations to 5 (build 5.0.3.4708) or 4 (build 4.0.2.2208) or higher. With the report below you’ll get an overview of all the Veeam Windows Agent installations in your environment along with their version and whether they have been updated to the fixed versions or not.
Veeam Agent for Microsoft Windows Vulnerability Audit Query
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.Version,
tblAssets.SP,
tblSoftwareUni.softwareName,
tblSoftwareUni.SoftwarePublisher,
tblSoftware.softwareVersion,
Case
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) < 4 Then
'Upgrade to Supported Version'
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) = 4 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As int) < 2 Then
'Vulnerable'
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) = 4 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As int) = 2 And
Cast(ParseName(tblSoftware.softwareVersion, 1) As int) < 2208 Then
'Vulnerable'
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) = 5 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As int) < 3 Then
'Vulnerable'
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) = 5 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As int) = 3 And
Cast(ParseName(tblSoftware.softwareVersion, 1) As int) < 4708 Then
'Vulnerable'
Else 'Safe'
End As [Vulnerable/Safe],
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
tblAssets.Lastseen,
tblAssets.Lasttried,
Case
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) < 4 Then
'#ffadad'
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) = 4 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As int) < 2 Then
'#ffadad'
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) = 4 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As int) = 2 And
Cast(ParseName(tblSoftware.softwareVersion, 1) As int) < 2208 Then
'#ffadad'
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) = 5 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As int) < 3 Then
'#ffadad'
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) = 5 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As int) = 3 And
Cast(ParseName(tblSoftware.softwareVersion, 1) As int) < 4708 Then
'#ffadad'
Else '#d4f4be'
End As backgroundcolor
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblState On tblState.State = tblAssetCustom.State
Inner Join tblSoftware On tblSoftware.AssetID = tblAssets.AssetID
Inner Join dbo.tblSoftwareUni On tblSoftware.softID = tblSoftwareUni.SoftID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where tblSoftwareUni.softwareName Like 'Veeam Agent for Microsoft Windows%' And
tblState.Statename = 'Active'
Order By tblAssets.Domain,
tblAssets.AssetName
