Critical Veeam Backup Enterprise Manager authentication bypass bug
A critical security vulnerability in Veeam Backup Enterprise Manager could allow threat actors to bypass authentication.
A critical vulnerability, tracked as CVE-2024-29849 (CVSS score: 9.8), in Veeam Backup Enterprise Manager could allow attackers to bypass authentication.
Veeam Backup Enterprise Manager is a centralized management and reporting tool designed to simplify the administration of Veeam Backup & Replication environments. It offers a web-based interface that allows users to manage multiple Veeam Backup & Replication servers, monitor backup jobs, and generate reports.
“This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.” reads the advisory published by the vendor.
The company has addressed the following vulnerabilities in Veeam Backup Enterprise Manager:
- CVE-2024-29850 (CVSS score: 8.8) – the flaw allows account takeover via NTLM relay.
- CVE-2024-29851 (CVSS score: 7.2) – the flaw allows a high-privileged user to steal the NTLM hash of the Veeam Backup Enterprise Manager service account if that service account is anything other than the default Local System account.
- CVE-2024-29852 (CVSS score: 2.7) – the flaw allows a privileged user to read backup session logs.
The four vulnerabilities have been addressed with the release of version 12.1.2.172. The company also provided the following mitigation:
- This vulnerability can be mitigated by halting the Veeam Backup Enterprise Manager software.
To do this, stop and disable the following services:
- VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager)
- VeeamRESTSvc (Veeam RESTful API Service)
Note: Do not stop the ‘Veeam Backup Server RESTful API Service’.
- Veeam Backup Enterprise Manager is compatible with managing Veeam Backup & Replication servers running an older version than Veeam Backup Enterprise Manager. Therefore, if the Veeam Backup Enterprise Manager software is installed on a dedicated server, Veeam Backup Enterprise Manager can be upgraded to version 12.1.2.172 without the need to upgrade Veeam Backup & Replication immediately.
- Veeam Backup Enterprise Manager can be uninstalled if it is not in use.
Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Veeam)