Two critical vulnerabilities (CVE-2022-26500 and CVE-2022-26501) were discovered in Veeam Backup and Replication that allow potential adversaries to remotely execute code without authentication.
Another vulnerability, CVE-2022-26503, was discovered in Veeam Agent for Microsoft Windows that allows for local privilege escalation (LPE).
Positive Technologies, a cybersecurity company based in South Korea, uncovered all three flaws.
How Bad is This?
Both remote code execution (RCE) vulnerabilities (CVE-2022-26500 and CVE-2022-26501) were issued a 9.8 rating on the CVSS scale; in other words, critical severity. RCE is one of the most dangerous types of flaws. Combined with the fact that no authentication is needed makes this a ripe attack vector for ransomware groups and other cybercriminals.
The LPE flaw found in Veeam Agent for Microsoft Windows is less critical with 7.8 CVSS rating, but it is still considered high severity.
— Kevin Beaumont (@GossiTheDog) March 13, 2022
Veeam Backup and Replication is a recovery solution for cloud, physical and virtual workloads. Veeam is common within SMB and MSP environments, and has high confidentiality access by design.
The good news is that no exploits are publicly available yet, according to a Kevin Beaumont (@GossiTheDog) tweet. However, it’s likely a matter of time until exploits are released.
What Should I Do?
Fortunately, there are patches available that resolve the issues; immediately patch to mitigate your risk.
If you’re unable to patch, Veeam has offered instructions on how to temporarily mitigate the risk:
“Stop and disable the Veeam Distribution Service. The Veeam Distribution Service is installed on the Veeam Backup & Replication server and servers specified as distribution servers in Protection Groups.”
Try Blumira For Free
Blumira’s cloud SIEM detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help.
Blumira’s free trial is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.