CVE-2024-29849 (CVSS 9.8): Veeam’s Backup Nightmare, Full System Access Exposed
Veeam Software, a leading provider of backup and recovery solutions, has issued urgent security advisories regarding multiple critical vulnerabilities in its Veeam Backup Enterprise Manager (Enterprise Manager) component. These vulnerabilities could allow unauthorized access, account takeover, and data exposure, putting the integrity of backup operations at serious risk.
The Vulnerabilities Unveiled
-
CVE-2024-29849 (CVSS 9.8): The most severe of the vulnerabilities, this flaw allows unauthenticated attackers to bypass authentication measures and log in to the Enterprise Manager web interface as any user, granting them full control over the system.
-
CVE-2024-29850 (CVSS 8.8): This vulnerability enables a sophisticated attack known as NTLM relay, where attackers can capture and reuse authentication credentials, effectively hijacking user accounts.
-
CVE-2024-29851 (CVSS 7.2): In certain configurations, this flaw permits high-privileged users to steal the NTLM hash (a type of password representation) of the Enterprise Manager service account, potentially leading to further compromise of the system.
-
CVE-2024-29852 (CVSS 2.7): This vulnerability allows high-privileged users to gain unauthorized access to backup session logs, potentially exposing sensitive information about backup configurations and data.
Impact and Mitigation
Deploying Veeam Backup Enterprise Manager is optional, and not all environments will have it installed. If your environment does not use Veeam Backup Enterprise Manager, it will not be affected by these vulnerabilities. However, for those who have deployed this component, the impact can be significant, particularly for vulnerabilities CVE-2024-29849 and CVE-2024-29850, which allow unauthorized access and account takeover.
Organizations that do use Enterprise Manager are strongly urged to take immediate action. Veeam has released patches to address these vulnerabilities, and users should apply them as quickly as possible.