Vulnerabilities and Threats (Corvus Alerts)
      Back to home
      1. Knowledge Nest
      2. Cybersecurity Tips + Vulnerability Alerts
      3. Vulnerabilities and Threats (Corvus Alerts)

      Veeam Backup & Replication Vulnerability Advisory | March 2022

      A series of vulnerabilities were found in popular Veeam Backup & Replication software. Here's what you need to know.

      Quick facts

      • Vulnerabilities exist in Veeam Backup & Replication software, versions 9.5, 10, 11 and Veeam Windows agent, versions 2.0, 2.1, 2.2, 3.0.2, 4.0, 5.0. 
      • The vulnerability is not exploitable from outside a company's network. A threat actor must first gain access into the internal environment and then execute the exploit.
      • Exploitation of the vulnerabilities could allow a threat actor to execute code on the system, bypassing authentication, gaining access to the backup servers, and ultimately leading to the destruction of backups in the lead up to a ransomware attack.

      Background

      The Center for Internet Security (CIS) issues an advisory regarding a series of vulnerabilities (CVE-2022-26500, CVE-2022-26501, CVE-2022-26504, CVE-2022-26503) targeting the popular Veeam Backup software. While there are no reports of these vulnerabilities being actively exploited, we can expect Ransomare groups to add this to their toolkit. 

      Organizations using the following Veeam software versions are encouraged to patch as soon as possible:

      • Veeam Backup & Replication software versions 9.5, 10, 11 (CVE-2022-26500, CVE-2022-26501)
      • Veeam Backup & Replication component used for Microsoft's System Center Virtual Machine Manager (SCVMM), versions 9.5, 10, 11 (CVE-2022-26504)
      • Veeam Windows agent, versions 2.0, 2.1, 2.2, 3.0.2, 4.0, 5.0 (CVE-2022-26503)

      CVE-2022-26500, CVE-2022-26501

      Found in Veeam Backup & Replication software, versions 9.5, 10, 11. An attacker can exploit the software and execute code without any authentication. This could lead to the full compromise of the system and backups.

      CVE-2022-26504

      Found in the Veeam Backup & Replication component used for Microsoft's System Center Virtual Machine Manager (SCVMM),versions 9.5, 10, 11. Note that the default Veeam Backup & Replication installation is not vulnerable to this issue - only those installations with an SCVMM server registered are vulnerable. The vulnerability would allow non-administrative domain users to execute malicious code remotely. This could lead to the full compromise of the system and backups.

      CVE-2022-26503 

      Found in the Veeam Windows agent, versions 2.0, 2.1, 2.2, 3.0.2, 4.0, 5.0. An attacker could exploit the software to run code with privileged access to the local system. This could lead to the full compromise of the system.


      Next Steps for all Veeam Backup & Replication Customers:

      1. For CVE-2022-26500, CVE-2022-26501, CVE2022-26504:
        1. Apply patches to the Veeam Backup & Replication software:
          1. Version 11a (build 11.0.1.1261 P20220302)
          2. Version 10a (build 10.0.1.4854 P20220304) 
        2. If you are unable to patch, the following mitigation can be used:
        3. Stop and disable the Veeam Distribution Service. The Veeam Distribution Service is installed on the Veeam Backup & Replication server and servers specified as distribution servers in Protection Groups.
      2. For CVE-2022-26503:
        1. If auto updates are enabled (which we recommend), updates will be applied automatically. 
        2. If you are manually updating, apply patches to the Veeam Agent for Microsoft Windows:
          1. Version 5 (build 5.0.3.4708)
          2. Version 4 (build 4.0.2.2208)
      3. Check this article periodically over the next few weeks as we will keep it updated as more information becomes available.

      Resources

      Veeam:


      Center for Internet Security (CIS): 



      If you have any questions, please reach out to the Risk + Response Team at services@corvusinsurance.com!