CVE-2024-29849: Unpatched Veeam Users Vulnerable to Attack

Veeam is urging all users of Veeam Backup Enterprise Manager to update their software to the latest version due to the discovery of a critical vulnerability that allows attackers to bypass authentication safeguards.

Veeam Backup Enterprise Manager serves as a centralized solution for managing backups within the Veeam infrastructure. It provides a unified web interface for monitoring, reporting, and managing tasks related to backup, replication, and restoration.

CVE-2024-29849

The platform enables administrators to effortlessly manage extensive backups, perform searches and restores of individual files, and manage user and group access rights. Additionally, Veeam Backup Enterprise Manager simplifies administration and enhances data management efficiency in large IT environments.

The vulnerability, assigned identifier CVE-2024-29849 and rated 9.8 on the CVSS scale, allows an unauthorized attacker to log into the Veeam Backup Enterprise Manager web interface as any user.

The company also reported three other vulnerabilities affecting the same product:

  • CVE-2024-29850 (CVSS score: 8.8) allows for account takeover via NTLM relay.
  • CVE-2024-29851 (CVSS score: 7.2) gives a privileged user the ability to steal NTLM hashes of a service account if it is not configured to run under a system account.
  • CVE-2024-29852 (CVSS score: 2.7) enables a privileged user to read backup session logs.

All these vulnerabilities have been addressed in version 12.1.2.172. It is important to note that the installation of Veeam Backup Enterprise Manager is not mandatory, and environments where it is not installed are not susceptible to these vulnerabilities.

In recent weeks, the company also resolved a local privilege escalation vulnerability in Veeam Agent for Windows (CVE-2024-29853, CVSS score: 7.2) and a critical remote code execution vulnerability in Veeam Service Provider Console (CVE-2024-29212, CVSS score: 9.9).

According to Veeam, the CVE-2024-29212 vulnerability is related to an insecure deserialization method used by the Veeam Service Provider Console (VSPC) when interacting with the management agent and its components, which under certain conditions allows remote code execution on the VSPC server.

Vulnerabilities in Veeam Backup & Replication software (CVE-2023-27532, CVSS score: 7.5) have already been exploited by groups such as FIN7 and Cuba to distribute malware, including ransomware, highlighting the importance of promptly installing updates.