There are currently two critical Common Vulnerabilities and Exposures (CVEs) that affect Veeam Backup & Replication and account for two of the three critical Veeam Backup & Replication CVEs and the most serious of the products affected as at the time of writing this piece. The Critical Veeam Backup & Replication vulnerability notes include CVE-2022-26500 | CVE-2022-26501. Kindly refer to these related guides: Veeam Certified Architect: A review of the VMCA Training & Certification, Standalone Veeam ONE installation: How to set up Veeam ONE 11 Server, how to uninstall Veeam Backup and Replication from your server, and Azure Backup and Recovery: How to setup Veeam Backup for Microsoft Azure [Part 1]
These two CVEs (CVE-2022-26500, CVE–2022-26501) allow executing malicious code remotely without authentication. This may lead to gaining control over the target system. This carries a CVSS rating of 9.8 and its severity classified as Critical. Here is a fix for Veeam Agent vulnerability for Microsoft Windows.Cause
Moreover, The vulnerability originates from Veeam Distribution Service on TCP 9380. Apply the essential Veeam Backup and Replication Vulnerability Fix for robust security. Furthermore, This allows unauthenticated users to access internal Veeam API functions. An attacker may send input to the Veeam API, allowing the uploading and executing of malicious code.
Worth noting: All new deployments of Veeam Backup & Replication versions 11 and 10 installed using the ISO images dated 20220302 or later are not vulnerable.
How can I temporarily resolve this issue?
Nonetheless, Per Veeam’s guidance, the current workaround involves implementing the Veeam Backup and Replication Vulnerability Fix. However, It is advised to halt and deactivate the Veeam Distribution Service to address the issue. The Veeam Distribution Service is installed on the Veeam Backup & Replication server and servers specified as distribution servers in Protection Groups.
Consider this temporary solution if you lack a maintenance window to patch the VBR Server.
Solution
Notably, for ensuring system security, patches are now accessible for Veeam 11a and 10a versions. However, The crucial Veeam Backup and Replication Vulnerability Fix need installation on the server. Managed servers using Veeam Distribution Service will receive automated updates post-patch installation.
Note: If you’re utilizing Veeam Backup and Replication 9.5, performing a Veeam Backup and Replication Vulnerability Fix is crucial by upgrading to a supported product version.
