The vulnerabilities were discovered by Positive Technologies expert Nikita Petrov. Two of them concern Veeam Backup & Replication, a popular backup system that allows you to automate backup and disaster recovery processes. Another vulnerability has been identified in Veeam Agent for Microsoft Windows – Windows data backup software.
Veeam solutions, according to the developer, are used by about 400 thousand customers from different countries, including 83% of Fortune Global 500 companies and 69% of Forbes Global 2000 companies. Veeam ranks first in terms of market share in Europe, the Middle East and Africa and second in terms of market share in the world, and for the fifth year in a row is the leader in the Magic Quadrant for Enterprise Backup and Recovery Software Solutions report by the Gartner analytical agency.
“According to our forecasts, these vulnerabilities will be exploited by attackers in real attacks and will put many organizations at significant risk. Therefore, it is important to install updates as soon as possible or at least take measures to detect abnormal activity associated with these products”, — noted Nikita Petrov.
Both vulnerabilities (CVE-2022-26500 , CVE-2022-26501) found in Veeam Backup & Replication allow an unauthorized attacker to remotely execute arbitrary code (Remote Code Execution, RCE). The vulnerable versions are 9.5, 10 and 11 of the product.
These vulnerabilities can be used for a number of illegal actions:
- Getting initial access. Attackers can gain a foothold on the device to install malware or achieve other goals.
- Disclosure of information. Vulnerabilities allow violators to install malware to steal data or to directly execute commands that extract and delete data from a vulnerable device.
- Denial of service. Attackers may try to run code on the system hosting the vulnerable application and disrupt the operation of this or other applications.
- Infrastructure encryption. RCE vulnerabilities can be used to deploy and run encryption programs on a vulnerable device.
In turn, the vulnerability CVE-2022-26503 in Veeam Agent for Microsoft Windows allows an attacker to execute arbitrary code on a node with maximum rights (Local Privilege Escalation) and gain access to the resources of a compromised node with maximum privileges. The information stored on a personal computer or server may be of value to the violator and used in planning and conducting further attacks on the organization. In case of further compromise of the domain account, an attacker can gain access to information located on the local network. The vulnerability is contained in versions 2.0, 2.1, 2.2, 3.0.2, 4.0 and 5.0 of the solution.
Positive Technologies experts recommend to immediately install the security updates released by Veeam vendor for the affected products: 11a (build 11.0.1.1261 P20220302) and 10a (build 10.0.1.4854 P20220304) for Veeam Backup & Replication, as well as 5 (build 5.0.3.4708) and 4 (build 4.0.2.2208) for Veeam Agent for Microsoft Windows.
If installing security updates is not possible, Positive Technologies recommends carefully monitoring abnormal activity in relation to nodes with products that have been affected by vulnerabilities — in particular, checking event logs for the creation of new privileged user accounts and access to sensitive files.