Veeam Software has patched two critical vulnerabilities (CVE-2022-26500, CVE-2022-26501) affecting its popular Veeam Backup & Replication solution, which could be exploited by unauthenticated attackers to remotely execute malicious code.
Veeam Backup & Replication is an enteprise data protection solution that allows admins to create image-level backups of virtual, physical, cloud machines and restore from them.
According to the company’s latest shared information, more than 450,000 users have downloaded Veeam Backup & Replication v11 since its launch in Q1 2021.
About the vulnerabilities (CVE-2022-26500, CVE-2022-26501)
Both vulnerabilities may allow attackers to achieve RCE and gain control over a vulnerable system.
Specifics of the vulnerabilities have not been shared, either by the company or by Nikita Petrov, the Positive Technologies researcher who discovered and reported them.
Veeam simply noted that “The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code.”
Veeam Backup & Replication v9.5, 10 and 11 are affected, and patches have been provided for the latter two. The company is urging users of the former to upgrade to a supported version.
If the patches cannot be implemented quickly, admins can temporarily stop and disable the Veeam Distribution Service.
In addition to fixing these flaws, the same patches also close CVE-2022-26504, another RCE hole that affects a component used for Microsoft System Center Virtual Machine Manager integration.
“The vulnerable process Veeam.Backup.PSManager.exe (TCP 8732 by default) allows authentication using non-administrative domain credentials. A remote attacker may use the vulnerable component to execute arbitrary code,” the company shared, but added that the default Veeam Backup & Replication installation is not vulnerable to this issue.
Luckily for administrators, exploits for any of these vulnerabilities are yet to be made public.