WARNING: AUTHENTICATION BYPASS IN VEEAM BACKUP ENTERPRISE MANAGER, PATCH IMMEDIATELY!
CVE-2024-29849: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Veeam: https://www.veeam.com/kb4581
Risks
A vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.
Veeam Backup Enterprise Manager is an optional installation, this vulnerability applies to Veeam Backup Enterprise Manager specifically.
A proof of concept exploit has been observed on the internet, which makes it a lot easier for attackers to exploit this vulnerability.
Description
By gaining access to the Veeam Backup Enterprise Manager as an administrator account, attackers gain high level access to the server.
This vulnerability could be targeted by ransomware actors to gain control over enterprise backups to make restoring from backups impossible or perform lateral movement into your environment.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
This vulnerability was patched in Veeam Backup Enterprise Manager 12.1.2.172.
In case updates are not possible, Veeam details workarounds to mitigate this vulnerability on their advisory page.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
The Hacker News: https://thehackernews.com/2024/05/critical-veeam-backup-enterprise.html