Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Patches

Veeam says critical flaw can't be abused to trash backups

It's still a rough one, so patch up

Connor Jones Thu 23 May 2024  //  14:30 UTC

Veeam says the recent critical vulnerability in its Backup Enterprise Manager (VBEM) can't be used by cybercriminals to delete an organization's backups.

Rated 9.8 out of a possible 10, exploiting CVE-2024-29849 could allow attackers the chance to log into the VBEM web interface without the need for authentication.

The flaw would allow attackers to log in as any user, but Veeam's security advisory didn't detail the vulnerability in any great depth, opening up questions about the potential impact and if customers' backups were safe.

Despite attackers being able to log into VBEM as any user and the privileges that come with that, it confirmed to The Register that exploiting the flaw couldn't possibly lead to backups being deleted.

"Because of our immutable backups and/or four-eyes authorization, the threat actor would receive an access denied error upon attempting to delete backups," said a spokesperson.

Offering a more general statement about the vulnerability, the company also said: "Veeam has a long-standing commitment to ensuring our products protect customers from any potential risk. As part of this, we run rigorous internal testing, a vulnerability disclosure program and a bug bounty program for all our products. Through these programs, several potential vulnerabilities were identified in Veeam Backup Enterprise Manager. Veeam has created and released a fix for this issue and it's now available. We recommend all our customers keep their products updated.

"When a vulnerability is identified and disclosed, attackers will still attempt to exploit and reverse-engineer the patches to use the vulnerability on an unpatched version of Veeam software in their exploitation attempts. This underlines the importance of ensuring customers are using the latest versions of all software and patches are installed in a timely manner."

Customers are being urged to apply the updates quickly but they may not apply to all organizations that rely on Veeam for data backups. 

VBEM is an optional, supplementary tool that customers can choose to deploy alongside Veeam Backup & Replication. It offers management capabilities for the main backup solution via a web console.

Veeam made it clear in the advisory, in an orange boxout and written in bold lettering, that not all customers will have VBEM installed and as such won't be vulnerable to the flaw.

The company also didn't offer an indication of how many or what proportion of backup customers choose to run it. The long and short of it is that if VBEM isn't installed then the vulnerability is nothing to worry about.

The news that backups are safe despite attackers being able to log into VBEM will be welcomed by customers. If an attacker were able to delete backups, Professor Alan Woodward, a computer scientist at the University of Surrey, said it would be "the worst of all worlds" having an organization's safety net cut away.

Other flaws and how to protect

Veeam addressed CVE-2024-29849 and three other vulnerabilities in VBEM 12.1.2.172, which comes packaged with Veeam Backup & Replication 12.1.2 (build 12.1.2.172). 

The other bugs include:

Naturally, applying the patch is the best route to safety, but if for whatever reason VBEM can't be upgraded to 12.1.2.172 immediately, organizations can halt the software in the interim. Stopping and disabling VeeamEnterpriseManagerSvc and VeeamRESTSvc will do the trick.

As VBEM is also compatible with older Veeam Backup & Replication servers, if running on a dedicated server, the patches can be applied without needing to upgrade Backup & Replication immediately.

If VBEM isn't being used, then of course uninstalling it is also an option. ®
Send us news
1 Comment

Veeam debuts its Proxmox backup tool – and reveals outfit using it to quit VMware

More help for Nutanix, too

Tired of airport security queues? SQL inject yourself into the cockpit, claim researchers

Infosec hounds say they spotted vulnerability during routine travel in the US

Check your IP cameras: There's a new Mirai botnet on the rise

Also, US offering $2.5M for Belarusian hacker, Backpage kingpins jailed, additional MOVEit victims, and more

White House’s new fix for cyber job gaps: Serve the nation in infosec

Now do your patriotic duty and fill one of those 500k open roles, please?

US sues Georgia Tech over alleged cybersecurity failings as a Pentagon contractor

Rap sheet spells out major no-nos after disgruntled staff blow whistle

Brain Cipher claims attack on Olympic venue, promises 300 GB data leak

French police reckon financial system targeted during Summer Games

Homeland security hopes to scuttle maritime cyber-threats with port infosec testbed

Supply chains, 13M jobs and $649B a year at risk, so Uncle Sam is fighting back - with a request for info

Multiple flaws in Microsoft macOS apps unpatched despite potential risks

Windows giant tells Cisco Talos it isn't fixing them

Deadline looms: Google Workspace mandates OAuth by September 30

27 days to get your users' third-party apps on Google’s sign-in

RansomHub hits 210 victims in just 6 months

The ransomware gang recruits high-profile affiliates from LockBit and ALPHV

AMD reverses course: Ryzen 3000 CPUs will get SinkClose patch after all

Still no love for 1000- or 2000-series

RansomHub-linked EDR-killing malware spotted in the wild

Also: Your external-facing NetSuite sites need a review; five popular malware varieties for Q2, and more