Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Patches

Veeam says critical flaw can't be abused to trash backups

It's still a rough one, so patch up

Connor Jones Thu 23 May 2024  //  14:30 UTC

Veeam says the recent critical vulnerability in its Backup Enterprise Manager (VBEM) can't be used by cybercriminals to delete an organization's backups.

Rated 9.8 out of a possible 10, exploiting CVE-2024-29849 could allow attackers the chance to log into the VBEM web interface without the need for authentication.

The flaw would allow attackers to log in as any user, but Veeam's security advisory didn't detail the vulnerability in any great depth, opening up questions about the potential impact and if customers' backups were safe.

Despite attackers being able to log into VBEM as any user and the privileges that come with that, it confirmed to The Register that exploiting the flaw couldn't possibly lead to backups being deleted.

"Because of our immutable backups and/or four-eyes authorization, the threat actor would receive an access denied error upon attempting to delete backups," said a spokesperson.

Offering a more general statement about the vulnerability, the company also said: "Veeam has a long-standing commitment to ensuring our products protect customers from any potential risk. As part of this, we run rigorous internal testing, a vulnerability disclosure program and a bug bounty program for all our products. Through these programs, several potential vulnerabilities were identified in Veeam Backup Enterprise Manager. Veeam has created and released a fix for this issue and it's now available. We recommend all our customers keep their products updated.

"When a vulnerability is identified and disclosed, attackers will still attempt to exploit and reverse-engineer the patches to use the vulnerability on an unpatched version of Veeam software in their exploitation attempts. This underlines the importance of ensuring customers are using the latest versions of all software and patches are installed in a timely manner."

Customers are being urged to apply the updates quickly but they may not apply to all organizations that rely on Veeam for data backups. 

VBEM is an optional, supplementary tool that customers can choose to deploy alongside Veeam Backup & Replication. It offers management capabilities for the main backup solution via a web console.

Veeam made it clear in the advisory, in an orange boxout and written in bold lettering, that not all customers will have VBEM installed and as such won't be vulnerable to the flaw.

The company also didn't offer an indication of how many or what proportion of backup customers choose to run it. The long and short of it is that if VBEM isn't installed then the vulnerability is nothing to worry about.

The news that backups are safe despite attackers being able to log into VBEM will be welcomed by customers. If an attacker were able to delete backups, Professor Alan Woodward, a computer scientist at the University of Surrey, said it would be "the worst of all worlds" having an organization's safety net cut away.

Other flaws and how to protect

Veeam addressed CVE-2024-29849 and three other vulnerabilities in VBEM 12.1.2.172, which comes packaged with Veeam Backup & Replication 12.1.2 (build 12.1.2.172). 

The other bugs include:

Naturally, applying the patch is the best route to safety, but if for whatever reason VBEM can't be upgraded to 12.1.2.172 immediately, organizations can halt the software in the interim. Stopping and disabling VeeamEnterpriseManagerSvc and VeeamRESTSvc will do the trick.

As VBEM is also compatible with older Veeam Backup & Replication servers, if running on a dedicated server, the patches can be applied without needing to upgrade Backup & Replication immediately.

If VBEM isn't being used, then of course uninstalling it is also an option. ®
Send us news
1 Comment

Nominet probes network intrusion linked to Ivanti zero-day exploit

Unauthorized activity detected, but no backdoors found

Cryptojacking, backdoors abound as fiends abuse Aviatrix Controller bug

This is what happens when you publish PoCs immediately, hm?

Zero-day exploits plague Ivanti Connect Secure appliances for second year running

Factory resets and apply patches is the advice amid fortnight delay for other appliances

I tried hard, but didn't fix all of cybersecurity, admits outgoing US National Cyber Director

In colossal surprise, ONCD boss Harry Coker says more work is needed

Miscreants 'mass exploited' Fortinet firewalls, 'highly probable' zero-day used

Ransomware 'not off the table,' Arctic Wolf threat hunter tells El Reg

MediaTek rings in the new year with a parade of chipset vulns

Manufacturers should have had ample time to apply the fixes

DEF CON's hacker-in-chief faces fortune in medical bills after paralyzing neck injury

Marc Rogers is 'lucky to be alive'

Datacus extractus: Harry Potter publisher breached without resorting to magic

PLUS: Allstate sued for allegedly tracking drivers; Dutch DDoS; More fake jobs from Pyongyang; and more

Six vulnerabilities in ubiquitous rsync tool announced and fixed in a day

Turns out tool does both file transfers and security fixes fast

Infoseccer: Private security biz let guard down, exposed 120K+ files

Assist Security’s client list includes fashion icons, critical infrastructure orgs

Snyk appears to deploy 'malicious' packages targeting Cursor for unknown reason

Packages removed, vendor said to have apologized to AI code editor as onlookers say it could have been a test

Europe coughs up €400 to punter after breaking its own GDPR data protection rules

PLUS: Data broker leak reveals extent of info trading; Hot new ransomware gang might be all AI, no bark; and more