Veeam fixes auth bypass flaw in Backup Enterprise Manager (CVE-2024-29849)
Veeam has patched four vulnerabilities in Backup Enterprise Manager (VBEM), one of which (CVE-2024-29849) may allow attackers to bypass authentication and log in to its web interface as any user.
With no user interaction required for remote exploitation and a low complexity of attack, CVE-2024-29849 is deemed to be critical.
Other fixed bugs
Veeam Backup Enterprise Manager (VBEM) is an application that is used to manage the Veeam Backup & Replication solution – a backup/restore app for virtual and physical machines and cloud-based workloads – via a web console.
Aside from CVE-2024-29849, Veeam has also plugged three other security holes, two of which may allow attackers to compromise accounts:
- CVE-2024-29850 allows account takeover via NTLM relay
- CVE-2024-29851 allows a high-privileged user to steal the NTLM hash of the app’s service account (if that service account is anything other than the default Local System account)
- CVE-2024-29852 allows high-privileged users to read backup session logs
Mitigation
The vulnerabilities affect all versions of Veeam Backup & Replication (starting from 5.0 and ending with 12.1), but they have only been fixed in Veeam Backup Enterprise Manager 12.1.2.172, which is packaged with Veeam Backup & Replication 12.1.2 (build 12.1.2.172) – the only currently supported version of that solution.
Still, deploying Veeam Backup Enterprise Manager is optional.
Veeam advises customers who can’t upgrade Veeam Backup Enterprise Manager to 12.1.2.172 to either halt the software or even uninstall it if not in use.
Also: “Veeam Backup Enterprise Manager is compatible with managing Veeam Backup & Replication servers running an older version than Veeam Backup Enterprise Manager. Therefore, if the Veeam Backup Enterprise Manager software is installed on a dedicated server, Veeam Backup Enterprise Manager can be upgraded to version 12.1.2.172 without the need to upgrade Veeam Backup & Replication immediately.”
While there’s no mention of any of the fixed vulnerabilities being exploited in the wild, a vulnerability in Veeam Backup & Replication has been leveraged by financially-motivated attackers last year.
UPDATE (June 10, 2024, 11:55 a.m. ET):
A technical write-up about and a PoC exploit for CVE-2024-29849 has been published by security researcher Sina Kheirkhah.