2 Critical Bugs, 1 High-Severity Bug Affect Veeam ProductsCompany Has Issued Patches for All 3 Vulnerabilities
Two critical vulnerabilities and one high-severity vulnerability in two separate Veeam software products may allow attackers to perform remote code execution and allow local privilege execution on victims' systems, respectively, according to a cybersecurity researcher. The company has released fixes for all the bugs.
Backup and Replication Solution Bugs
Two of the vulnerabilities - CVE-2022-26500 and CVE-2022-26501 - were discovered in Veeam's backup and replication solution and have a CVSS score of 9.8, says Nikita Petrov, security researcher at cybersecurity firm Positive Technologies, who found the bugs.
Petrov says they can be exploited to perform ransomware, data theft and denial-of-service attacks by allowing attackers to:
- Gain initial access: Attackers can gain persistence on the device to install malware or achieve other goals.
- Disclose information: The vulnerabilities allow criminals to install malware to steal data or to directly execute commands that extract and delete data from the vulnerable device.
- Perform denial-of-service attacks: Attackers may try to run code on the system hosting the vulnerable application and disrupt the operation of any of the applications running on the system.
- Encrypt data: RCE vulnerabilities can be used to deploy and run ransomware on the vulnerable device.
In its knowledge base report, Veeam says: "The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API, which may lead to uploading and executing of malicious code."
The vulnerable versions of the product are 9.5, 10 and 11, Petrov says, while the patched versions are 10a and 11a.
Agent for Microsoft Windows Vulnerability
A third vulnerability, tracked as CVE-2022-26503, is a high-severity vulnerability in Veeam's Agent for Microsoft Windows, which allows local privilege escalation. "An attacker who exploits this vulnerability could run arbitrary code with LOCAL SYSTEM privileges," Veeam says.
Petrov says exploitation of the vulnerability can allow attackers to gain access to the resources of the compromised node with maximum privileges. "The information stored on a personal computer or server may be highly valuable to attackers and used to plan and conduct future attacks. In case of further compromise of the domain account, attackers can gain access to information located on the local network."
Veeam says the vulnerability was caused by Microsoft .NET data serialization mechanisms used in Windows. "A local user may send malicious code to the network port opened by Veeam Agent for Windows Service (TCP 9395 by default), which will not be deserialized properly."
The vulnerability affects product versions 2.0, 2.1, 2.2, 3.0.2, 4.0 and 5.0.
Veeam has patched all three vulnerabilities reported by Petrov. The following updates are available for the affected products:
- Veeam Backup & Replication - 11a (build 126.96.36.1991 P20220302);
- Veeam Backup & Replication - 10a (build 10.0.1.4854 P20220304);
- Veeam Agent for Microsoft Windows - 5 (build 188.8.131.5208);
- Veeam Agent for Microsoft Windows - 4 (build 184.108.40.2068).
There are no workarounds for these vulnerabilities. Thus, if immediate patching is not possible, Positive Technologies says that users must carefully monitor abnormal activity in relation to nodes with vulnerable products and particularly check event logs of new privileged user accounts and access to sensitive files.
The vulnerabilities can put "many organizations at significant risk," Petrov says. "That is why it is important to install updates as soon as possible or at least take measures to detect abnormal activity associated with these products."
Experts Advise Urgent Patching
Patching the vulnerabilities promptly is key, as there is a high possibility of "ransomware groups showing an interest in this CVE," tweets Kevin Beaumont, a former Microsoft threat analyst and cybersecurity professional.
"Although none of the exploits are publicly available, "Veeam is commonly used in SMB and MSP environments and has high confidentiality access by design (eg: every system backup)," he says.
Technologist and cybersecurity expert Edwin Weijdema also sounded an alert for the CVE-2022-26503 vulnerability, which he says could be serious in the long run.