CISA adds Veeam Backup and Replication bugs to Known Exploited Vulnerabilities Catalog

US CISA added two vulnerabilities impacting Veeam Backup & Replication software to its Known Exploited Vulnerabilities Catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities impacting Veeam Backup & Replication software, tracked as CVE-2022-26500 and CVE-2022-26501 (CVSS 3.1 Base Score 9.8), to its Known Exploited Vulnerabilities Catalog.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

According to the agency, the Veeam Distribution Service in the Backup & Replication application allows unauthenticated users to access internal API functions. A remote attacker can exploit the flaw by sending input to the internal API which may lead to arbitrary code execution.

“Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system.” reads the advisory published by Veeam.

The flaws impact Backup & Replication product versions 9.5, 10, 11, patches are available for the following versions:

• 11a (build 11.0.1.1261 P20220302)
• 10a (build 10.0.1.4854 P20220304)

Both issues were discovered by Positive Technologies researcher Nikita Petrov.

“We believe that these vulnerabilities will be exploited in real attacks and will put many organizations at significant risk,” said Nikita Petrov. “That is why it is important to install updates as soon as possible or at least take measures to detect abnormal activity associated with these products.“

CISA orders federal agencies to address both vulnerabilities by January 03, 2022.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the following issues to the catalog:

• CVE-2022-42475 – Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability to address January 03, 2022.
• CVE-2022-44698 – Microsoft Defender SmartScreen Security Feature Bypass Vulnerability to address January 03, 2022.
• CVE-2022-27518 – Citrix Application Delivery Controller (ADC) and Gateway Authentication Bypass Vulnerability to address January 03, 2022.
• CVE-2022-42856 – Apple iOS Type Confusion Vulnerability to address January 04, 2022.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Known Exploited Vulnerabilities Catalog)

[adrotate banner=”5″]

[adrotate banner=”13″]