Veeam says critical flaw can't be abused to trash backups

Veeam says the recent critical vulnerability in its Backup Enterprise Manager (VBEM) can't be used by cybercriminals to delete an organization's backups.

Rated 9.8 out of a possible 10, exploiting CVE-2024-29849 could allow attackers the chance to log into the VBEM web interface without the need for authentication.

The flaw would allow attackers to log in as any user, but Veeam's security advisory didn't detail the vulnerability in any great depth, opening up questions about the potential impact and if customers' backups were safe.

Despite attackers being able to log into VBEM as any user and the privileges that come with that, it confirmed to The Register that exploiting the flaw couldn't possibly lead to backups being deleted.

"Because of our immutable backups and/or four-eyes authorization, the threat actor would receive an access denied error upon attempting to delete backups," said a spokesperson.

Offering a more general statement about the vulnerability, the company also said: "Veeam has a long-standing commitment to ensuring our products protect customers from any potential risk. As part of this, we run rigorous internal testing, a vulnerability disclosure program and a bug bounty program for all our products. Through these programs, several potential vulnerabilities were identified in Veeam Backup Enterprise Manager. Veeam has created and released a fix for this issue and it's now available. We recommend all our customers keep their products updated.

"When a vulnerability is identified and disclosed, attackers will still attempt to exploit and reverse-engineer the patches to use the vulnerability on an unpatched version of Veeam software in their exploitation attempts. This underlines the importance of ensuring customers are using the latest versions of all software and patches are installed in a timely manner."

Customers are being urged to apply the updates quickly but they may not apply to all organizations that rely on Veeam for data backups. 

VBEM is an optional, supplementary tool that customers can choose to deploy alongside Veeam Backup & Replication. It offers management capabilities for the main backup solution via a web console.

Veeam made it clear in the advisory, in an orange boxout and written in bold lettering, that not all customers will have VBEM installed and as such won't be vulnerable to the flaw.

The company also didn't offer an indication of how many or what proportion of backup customers choose to run it. The long and short of it is that if VBEM isn't installed then the vulnerability is nothing to worry about.

• NYSE parent gets $10M wrist tap for failing to report 2021 systems break-in
• GitHub Enterprise Server patches 10-outta-10 critical hole
• Uncle Sam to inject $50M into auto-patcher for hospital IT
• Critical Fluent Bit bug affects all major cloud providers, say researchers

The news that backups are safe despite attackers being able to log into VBEM will be welcomed by customers. If an attacker were able to delete backups, Professor Alan Woodward, a computer scientist at the University of Surrey, said it would be "the worst of all worlds" having an organization's safety net cut away.

Other flaws and how to protect

Veeam addressed CVE-2024-29849 and three other vulnerabilities in VBEM 12.1.2.172, which comes packaged with Veeam Backup & Replication 12.1.2 (build 12.1.2.172). 

The other bugs include:

• CVE-2024-29850 (8.8) – allows account takeover via NTLM relay

• CVE-2024-29851 (7.2) – high-privileged users can steal NTLM hash of a VBEM service account, providing that account isn't the default Local System account

• CVE-2024-29852 (2.7) – allows high-privileged users to read backup session logs

Naturally, applying the patch is the best route to safety, but if for whatever reason VBEM can't be upgraded to 12.1.2.172 immediately, organizations can halt the software in the interim. Stopping and disabling VeeamEnterpriseManagerSvc and VeeamRESTSvc will do the trick.

As VBEM is also compatible with older Veeam Backup & Replication servers, if running on a dedicated server, the patches can be applied without needing to upgrade Backup & Replication immediately.

If VBEM isn't being used, then of course uninstalling it is also an option. ®