Veeam warned clients immediately to patch a crucial safety vulnerability that enables unauthenticated attackers to signal into any account by way of the Veeam Backup Enterprise Supervisor (VBEM).
VBEM is a web-based platform that permits directors to handle Veeam Backup & Replication installations by way of a single net console. It helps management backup jobs and carry out restoration operations throughout a corporation’s backup infrastructure and large-scale deployments.
It is vital to notice that VBEM is not enabled by default, and never all environments are vulnerable to assaults exploiting the CVE-2024-29849 vulnerability, which Veeam has rated with a CVSS base rating of 9.8/10.
“This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user,” the corporate explains.
Admins who can’t instantly improve to VBEM model 12.1.2.172, which patches this safety flaw, can nonetheless mitigate it by stopping and disabling the VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Supervisor) and VeeamRESTSvc (Veeam RESTful API) providers.
If not at present in use, Veeam Backup Enterprise Supervisor will also be uninstalled utilizing these directions to take away the assault vector.
At the moment, Veeam additionally patched two high-severity VBEM vulnerabilities, one that enables account takeover by way of NTLM relay (CVE-2024-29850) and a second one that permits high-privileged customers to steal the Veeam Backup Enterprise Supervisor service account’s NTLM hash if it is not configured to run because the default Native System account (CVE-2024-29851).
Veeam flaws focused in ransomware assaults
In March 2023, Veeam patched a high-severity vulnerability (CVE-2023-27532) within the Backup & Replication software program that may very well be exploited to breach backup infrastructure hosts.
This vulnerability was subsequently exploited in assaults attributed to the financially motivated FIN7 menace group, linked to varied ransomware operations reminiscent of Conti, REvil, Maze, Egregor, and BlackBasta.
Months later, Cuba ransomware associates used the identical vulnerability in assaults concentrating on U.S. crucial infrastructure and Latin American IT corporations in Latin America.
In November, the corporate launched hotfixes to deal with two different crucial flaws (with 9.8 and 9.9/10 CVSS base scores) in its ONE IT infrastructure monitoring and analytics platform. These flaws permit menace actors to achieve distant code execution (CVE-2023-38547) and steal NTLM hashes (CVE-2023-38548) from susceptible servers.
Veeam’s merchandise are utilized by greater than 450,000 clients worldwide, together with 74% of all International 2,000 corporations.