Veeam softwareVEEAM:KB3108List of Security Fixes and Improvements in Veeam Agent for Microsoft Windows
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
Purpose
This article describes all security-related fixes and improvements introduced in each release or update of Veeam Agent for Microsoft Windows.
This article aims to provide our customers’ security and compliance teams with detailed information on security improvements between releases to help them make an informed decision on whether it is critical to upgrade from their current Veeam Agent for Microsoft Windows version to a later one.
Security Fixes and Improvements
6.1.2.134
- Vulnerability (CVE-2024-29853) in Veeam Agent for Microsoft Windows was fixed.
6.1.0.349
- OpenSSL library updated to 1.0.2zi.
- LZ4 library updated to 1.9.4.
- Stronger backup encryption. - _(See pg. 7 of Veeam Backup & Replication 12.1 What’s New PDF)
_
6.0.2.1090
- OpenSSL Library updated to the newest version (1.0.2zg).
6.0.0.960
- Added support for networks with NTLM authentication disabled (Kerberos-only authentication).
- Audit capabilities were improved.
- zlib has been updated to version 1.2.13.
- OpenSSL version has been updated to 1.0.2ze.
5.0.3.5029
- OpenSSL was updated to v1.0.2zi.
- liblz4 was updated to v1.9.4.
- zlib was updated to v1.2.13.
- PuTTY was updated to 0.80.
5.0.3.4708
- Vulnerability (CVE-2022-26503) in Veeam Agent for Microsoft Windows was fixed.
_This vulnerability was reported by Nikita Petrov (Positive Technologies).
_
5.0.0.4301
- LZ4 compression library version has been updated to version 1.9.2
4.0.2.2208
- Vulnerability (CVE-2022-26503) in Veeam Agent for Microsoft Windows was fixed.
_This vulnerability was reported by Nikita Petrov (Positive Technologies).
_
4.0.0.1811
- A custom security descriptor was provided for the driver’s control device (vulnerability reported by Mile Karry).
- Deserialization issues were fixed (vulnerability reported by Harrison Neal).
- A user authorization issue was fixed (vulnerability reported by Harrison Neal).
- OpenSSL was updated to version 1.0.2t
More Information
As we’re establishing this new process, we appreciate any feedback on the content or format of this KB article. Please let us know in the related topic on the Veeam R&D Forums. If your feedback is too sensitive to be shared publicly, please submit it by opening a support case. We highly appreciate your collaboration!
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| veeam | veeam_backup_for_google_cloud | 6.2 | cpe:2.3:a:veeam:veeam_backup_for_google_cloud:6.2:*:*:*:*:*:*:* |
| veeam | veeam_backup_for_google_cloud | 6.1 | cpe:2.3:a:veeam:veeam_backup_for_google_cloud:6.1:*:*:*:*:*:*:* |
| veeam | veeam_backup_for_google_cloud | 6.0 | cpe:2.3:a:veeam:veeam_backup_for_google_cloud:6.0:*:*:*:*:*:*:* |
| veeam | veeam_backup_for_google_cloud | 5.0 | cpe:2.3:a:veeam:veeam_backup_for_google_cloud:5.0:*:*:*:*:*:*:* |
| veeam | veeam_backup_for_google_cloud | 4.0 | cpe:2.3:a:veeam:veeam_backup_for_google_cloud:4.0:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High