Article Details
Scrape Timestamp (UTC): 2024-05-21 22:28:49.531
Original Article Text
Click to Toggle View
Veeam warns of critical Backup Enterprise Manager auth bypass bug. Veeam warned customers today to patch a critical security vulnerability that allows unauthenticated attackers to sign into any account via the Veeam Backup Enterprise Manager (VBEM). VBEM is a web-based platform that enables administrators to manage Veeam Backup & Replication installations via a single web console. It helps control backup jobs and perform restoration operations across an organization's backup infrastructure and large-scale deployments. It's important to note that VBEM isn't enabled by default, and not all environments are susceptible to attacks exploiting the CVE-2024-29849 vulnerability, which Veeam has rated with a CVSS base score of 9.8/10. "This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user," the company explains. Admins who cannot immediately upgrade to VBEM version 12.1.2.172, which patches this security flaw, can still mitigate it by stopping and disabling the VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager) and VeeamRESTSvc (Veeam RESTful API) services. If not currently in use, Veeam Backup Enterprise Manager can also be uninstalled using these instructions to remove the attack vector. Today, Veeam also patched two high-severity VBEM vulnerabilities, one that allows account takeover via NTLM relay (CVE-2024-29850) and a second one that enables high-privileged users to steal the Veeam Backup Enterprise Manager service account's NTLM hash if it's not configured to run as the default Local System account (CVE-2024-29851). Veeam flaws targeted in ransomware attacks In March 2023, Veeam patched a high-severity vulnerability (CVE-2023-27532) in the Backup & Replication software that could be exploited to breach backup infrastructure hosts. This vulnerability was subsequently exploited in attacks attributed to the financially motivated FIN7 threat group, linked to various ransomware operations such as Conti, REvil, Maze, Egregor, and BlackBasta. Months later, Cuba ransomware affiliates used the same vulnerability in attacks targeting U.S. critical infrastructure and Latin American IT companies in Latin America. In November, the company released hotfixes to address two other critical flaws (with 9.8 and 9.9/10 CVSS base scores) in its ONE IT infrastructure monitoring and analytics platform. These flaws allow threat actors to gain remote code execution (CVE-2023-38547) and steal NTLM hashes (CVE-2023-38548) from vulnerable servers. Veeam's products are used by more than 450,000 customers worldwide, including 74% of all Global 2,000 companies.
Daily Brief Summary
Veeam has alerted customers about a critical vulnerability in its Backup Enterprise Manager product, urging immediate patching.
The security flaw, identified as CVE-2024-29849, permits unauthenticated attackers to log into any account on the VBEM platform.
VBEM, a web management tool, is not enabled by default, reducing the risk for some environments.
The vulnerability scored a high 9.8/10 on the CVSS scale, indicating severe risk.
Temporary mitigation involves stopping and disabling related Veeam services or uninstalling the vulnerable platform if not in use.
In addition to CVE-2024-29849, Veeam also patched other high-severity vulnerabilities concerning account takeovers and NTLM hash stealing.
Historical context: Veeam has been a target in past ransomware operations, with vulnerabilities exploited by known threat groups against U.S. critical infrastructure and Latin American IT firms.
Globally, Veeam’s solutions are employed by over 450,000 customers, making security breaches particularly impactful.