Veeam Backup Enterprise Manager vulnerabilities

Published: May 23, 2024

Summary:

Veeam has notified one of our units about the vulnerabilities in their Backup Enterprise Manager product listed below. The worst of them, CVE-2024-29849, allows an attacker to log in to the web interface as any user. The others are described below and, coupled with this, could facilitate pass-the-hash attacks against other servers.

Backup Enterprise Manager is a supplement for Veeam Backup & Replication (VBR) that allows it to be managed using a web console. As such, it may not be installed in all environments.

If you have Backup Enterprise Manager installed, please patch it ASAP. If patching is not feasible, follow the mitigation steps below or as described in greater detail in the Veeam article.

Vulnerability details:

CVE/CVSS3

  • CVE-2024-29849, Severity: Critical, CVSS v3.1, Score: 9.8
  • CVE-2024-29850, Severity: High, CVSS v3.1, Score: 8.8
  • CVE-2024-29851, Severity: High, CVSS v3.1, Score: 7.2
  • CVE-2024-29852, Severity: Low, CVSS v3.1, Score: 2.7

Impacted versions:

Veeam Backup & Replication | 5.0 | 6.1 | 6.5 | 7.0 | 8.0 | 9.0 | 9.5 | 10 | 11 | 12 | 12.1

Details:

  • CVE-2024-29849

    This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the web interface as any user.

  • CVE-2024-29850

    This vulnerability in Veeam Backup Enterprise Manager allows account takeover via NTLM relay.

  • CVE-2024-29851

    This vulnerability in Veeam Backup Enterprise Manager allows a high-privileged user to steal the NTLM hash of the Veeam Backup Enterprise Manager service account if that service account is anything other than the default Local System account.

  • CVE-2024-29852

    This Veeam Backup Enterprise Manager vulnerability allows high-privileged users to read backup session logs.

Recommendations:

Update all your instances immediately to the current version, 12.1.2.172.
Release Information for Veeam Backup & Replication 12.1 and Updates

Optional mitigation steps:

If users of Veeam are not able to upgrade their Veeam Backup Enterprise Manager to 12.1.2.172 immediately, they can follow the below steps as a workaround.

  • It is advised to disable the following services:
    • VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager)
    • VeeamRESTSvc (Veeam RESTful API Service)

However, it is advised not to stop the Veeam Backup Server RESTful API Service.

  • If the Veeam Backup Enterprise Manager software is installed on a dedicated server, it can be upgraded to version 12.1.2.172 without immediately upgrading the Veeam Backup & Replication.
  • Additionally, if the Veeam Backup Enterprise Manager is not in use, it can be uninstalled.

Support:

As always, please let us know if you have any questions or concerns or see unusual activity on your systems that you believe might be associated with this or any other vulnerability. Please send these communications to security.response@utoronto.ca.