Veeam reports critical flaw in their Backup Enterprise Manager

Veeam has issued an urgent warning to its customers regarding a critical security vulnerability in the Veeam Backup Enterprise Manager (VBEM). VBEM is a web-based platform enabling administrators to manage Veeam Backup & Replication installations via a single web console.

The vulnerability is tracked as CVE-2024-29849 (CVSS score 9.8) and allows unauthenticated attackers to log in to the VBEM web interface as any user. VBEM is not enabled by default, so not all environments are susceptible to attacks exploiting this vulnerability.

Veeam urges administrators who use VBEM to upgrade to version 12.1.2.172 to patch this security flaw. For those who cannot immediately upgrade, Veeam suggests mitigating the issue by stopping and disabling the VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager) and VeeamRESTSvc (Veeam RESTful API) services. Alternatively, if VBEM is not in use, it can be uninstalled following provided instructions to eliminate the attack vector.

Additionally, Veeam has patched two other high-severity VBEM vulnerabilities:

• CVE-2024-29850 (CVSS score 8.8): Allows account takeover via NTLM relay.
• CVE-2024-29851 (CVSS score 7.2): Enables high-privileged users to steal the Veeam Backup Enterprise Manager service account's NTLM hash if not configured to run as the default Local System account.

Veeam products are utilized by over 450,000 customers worldwide, including 74% of all Global 2,000 companies, so patching is very prudent.

Update - as of 10th of June 2024 a proof-of-concept (PoC) exploit for a critical authentication bypass vulnerability in Veeam Backup Enterprise Manager (VBEM) is publicly available. The exploit involves crafting an SSO token that includes an authentication request and an SSO service URL. The critical issue is that Veeam fails to verify the SSO service URL.