Lucene search

The Hacker NewsTHN:1441F52F2998713962BFEF1739A04594

HistoryMay 22, 2024 - 3:45 a.m.

Critical Veeam Backup Enterprise Manager Flaw Allows Authentication Bypass

2024-05-2203:45:00

The Hacker News

thehackernews.com

veeam backup enterprise manager

security flaw

authentication bypass

cve-2024-29849

vulnerability

ntlm relay

cve-2024-29850

local privilege escalation

cve-2024-29853

remote code execution

cve-2024-29212

threat actors

fin7

cuba

ransomware

patch vulnerabilities

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

9.5 High

AI Score

Confidence

High

0.022 Low

EPSS

Percentile

89.6%

JSON

Users of Veeam Backup Enterprise Manager are being urged to update to the latest version following the discovery of a critical security flaw that could permit an adversary to bypass authentication protections.

Tracked as CVE-2024-29849 (CVSS score: 9.8), the vulnerability could allow an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.

The company has also disclosed three other shortcomings impacting the same product -

CVE-2024-29850 (CVSS score: 8.8), which allows account takeover via NTLM relay
CVE-2024-29851 (CVSS score: 7.2), which allows a privileged user to steal NTLM hashes of a Veeam Backup Enterprise Manager service account if it’s not configured to run as the default Local System account
CVE-2024-29852 (CVSS score: 2.7), which allows a privileged user to read backup session logs

All the flaws have been addressed in version 12.1.2.172. However, Veeam noted that deploying Veeam Backup Enterprise Manager is optional and that environments that do not have it installed are not impacted by the flaws.

In recent weeks, the company has also resolved a local privilege escalation flaw affecting the Veeam Agent for Windows (CVE-2024-29853, CVSS score: 7.2) and a critical remote code execution bug impacting Veeam Service Provider Console (CVE-2024-29212, CVSS score: 9.9).

“Due to an unsafe deserialization method used by the Veeam Service Provider Console (VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine,” Veeam said of CVE-2024-29212.

Security flaws in Veeam Backup & Replication software (CVE-2023-27532, CVSS score: 7.5) have been exploited by threat actors like FIN7 and Cuba for deploying malicious payloads, including ransomware, making it imperative that users move quickly to patch the aforementioned vulnerabilities.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.