Veeam Backup & Replication RCE Vulnerabilities Audit

Find Vulnerable Veeam Installations

Veeam Backup & Replication contains multiple vulnerabilities that could lead to remote code execution. Veeam Backup & Replication 9.5, 10 and 11 contain:

  • A vulnerability in which an unauthenticated user can access internal API functions over port 9380/TCP (CVE-2022-26500).
  • A vulnerability in which the above vulnerability may be used to allows executing malicious code remotely without authentication (CVE-2022-26501)
  • A vulnerability in Veeam.Backup.PSManager.exe in which authentication using non-administrative domain credentials is allowed when Veeam Backup & Replication is installed with a registered Microsoft System Center Virtual Machine Manager (SCVMM) server (CVE-2022-26504)

 

Veeam has released new patches, so you should update your installations to version 11a (build 11.0.1.1261 P20220302) or 10a (build 10.0.1.4854 P20220304). The report below provides an overview of all your Veeam Backup & Replication installation along with their version and an indication on whether they are vulnerable or not.

Veeam Vulnerability Audit Query

Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.Version,
tblAssets.SP,
tblSoftwareUni.softwareName,
tblSoftwareUni.SoftwarePublisher,
tblSoftware.softwareVersion,
Case
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) <= 9 Then
'Upgrade to Supported Version'
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) = 10 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As int) < 1 Then
'Vulnerable'
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) = 10 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As int) = 1 And
Cast(ParseName(tblSoftware.softwareVersion, 1) As int) < 4854 Then
'Vulnerable'
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) = 11 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As int) < 1 Then
'Vulnerable'
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) = 11 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As int) = 1 And
Cast(ParseName(tblSoftware.softwareVersion, 1) As int) < 1261 Then
'Vulnerable'
Else 'Safe'
End As [Vulnerable/Safe],
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
tblAssets.Lastseen,
tblAssets.Lasttried,
Case
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) <= 9 Then
'#ffadad'
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) = 10 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As int) < 1 Then '#ffadad'
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) = 10 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As int) = 1 And
Cast(ParseName(tblSoftware.softwareVersion, 1) As int) < 4854 Then
'#ffadad'
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) = 11 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As int) < 1 Then '#ffadad'
When Cast(ParseName(tblSoftware.softwareVersion, 4) As int) = 11 And
Cast(ParseName(tblSoftware.softwareVersion, 2) As int) = 1 And
Cast(ParseName(tblSoftware.softwareVersion, 1) As int) < 1261 Then
'#ffadad'
Else '#d4f4be'
End As backgroundcolor
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblState On tblState.State = tblAssetCustom.State
Inner Join tblSoftware On tblSoftware.AssetID = tblAssets.AssetID
Inner Join dbo.tblSoftwareUni On tblSoftware.softID = tblSoftwareUni.SoftID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where tblSoftwareUni.softwareName Like 'Veeam Backup & Replication%' And
tblState.Statename = 'Active'
Order By tblAssets.Domain,
tblAssets.AssetName

Audit and Take Action in 3 Easy Steps

1. Download & Install Lansweeper

3. Run the Audit & Take Action

Download Lansweeper to Run this Audit