Three new vulnerabilities in the popular Veeam product Backup & Replication can lead to remote code execution. The vulnerabilities affect Backup & Replication versions 9.5, 10, and 11.
CVE-2022-26500 & CVE-2022-26501
The first two vulnerabilities allow unauthenticated users to access the internal API functions over port 9380/TCP. Attackers can abuse this by sending inputs to the internal API remotely to either upload or even execute malicious code. CIS provided guidance on this vulnerability and indicated that it should be a high priority for all large government entities.
The third vulnerability is in a Backup & Replication component used for Microsoft System Center Virtual Machine Manager (SCVMM). It allows domain users to execute malicious code remotely which in turn can lead to loss of control over the target system. This vulnerability is caused due to the process Veeam.Backup.PSManager.exe (TCP 8732 by default) allowing authentication using non-administrative domain credentials.
Veeam also released information on a vulnerability affecting their windows Agent. This vulnerability allows for local privilege escalation using the Veeam Windows agent. A local user may send malicious code to the network port opened by the Veeam Agent Service (TCP 9395 by default), which will not be deserialized properly. Veeam released new patches for their supported Veeam Agent for Windows versions.
Audit Your Devices
To ensure that none of the above vulnerabilities can be abused in your environment, you should update vulnerable versions of Veeam Backup & Replication as soon as possible. Veeam has listed that installations should be updated to version 11a (build 220.127.116.111 P20220302) or 10a (build 10.0.1.4854 P20220304). If you are still using version 9.5, an upgrade to version 10 or 11 is required.
To check if your Veeam Backup & Replication installations are vulnerable, and to list on which devices you have a Veeam Backup & Replication installation, we've created the report below which will give you an overview of all Veeam Backup & Replication installations along with their vulnerability status for the above-mentioned vulnerabilities.
To check your Veeam Agent for Windows, the report below provides an overview of all Veeam Agent for Windows along with their version and whether they contain CVE-2022-26503 or not. Versions updated to 5 (build 18.104.22.16808) or 4 (build 22.214.171.1248) or higher are safe.