Critical Veeam Backup Enterprise Manager authentication bypass bug
A critical security vulnerability in Veeam Backup Enterprise Manager could allow threat actors to bypass authentication.
A critical vulnerability, tracked as CVE-2024-29849 (CVSS score: 9.8), in Veeam Backup Enterprise Manager could allow attackers to bypass authentication.
Veeam Backup Enterprise Manager is a centralized management and reporting tool designed to simplify the administration of Veeam Backup & Replication environments. It offers a web-based interface that allows users to manage multiple Veeam Backup & Replication servers, monitor backup jobs, and generate reports.
“
The company has addressed the following vulnerabilities in Veeam Backup Enterprise Manager:
- CVE-2024-29850 (CVSS score: 8.8) – the flaw allows account takeover via NTLM relay.
- CVE-2024-29851 (CVSS score: 7.2) – the flaw allows a high-privileged user to steal the NTLM hash of the Veeam Backup Enterprise Manager service account if that service account is anything other than the default Local System account.
- CVE-2024-29852 (CVSS score: 2.7) – the flaw allows a privileged user to read backup session logs.
The four vulnerabilities have been addressed with the release of version 12.1.2.172. The company also provided the following mitigation:
- This vulnerability can be mitigated by halting the Veeam Backup Enterprise Manager software.
To do this, stop and disable the following services:- VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager)
- VeeamRESTSvc (Veeam RESTful API Service)
Note: Do not stop the ‘Veeam Backup Server RESTful API Service’.
- Veeam Backup Enterprise Manager is compatible with managing Veeam Backup & Replication servers running an older version than Veeam Backup Enterprise Manager. Therefore, if the Veeam Backup Enterprise Manager software is installed on a dedicated server, Veeam Backup Enterprise Manager can be upgraded to version 12.1.2.172 without the need to upgrade Veeam Backup & Replication immediately.
- Veeam Backup Enterprise Manager can be uninstalled if it is not in use.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Veeam)