Veeam Security Advisory CVE-2022-26500 | CVE-2022-26501
Multiple vulnerabilities in Backup & Replication allow executing malicious code remotely without authentication.
This is a Press Release edited by StorageNewsletter.com on March 22, 2022 at 2:02 pmVeeam Software, Inc. had published a security advisory concerning Veeam Backup & Replication.
KB ID: 4288 Product: Veeam Backup & Replication | 9.5 | 10 | 11 Published: 2022-03-12 Last modified: 2022-03-15
Challenge
Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system.
Severity: Critical
CVSS v3 score: 9.8
Cause
The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code.
Solution
Patches are available for the following Veeam Backup & Replication versions:
Notes:
-
The patch must be installed on the Veeam Backup & Replication server. Managed servers with Veeam Distribution Service will be updated automatically after installing the patch.
-
All new deployments of Veeam Backup & Replication version 11a and 10a installed using the ISO images dated 20220302 or later are not vulnerable.
-
If you are using Veeam Backup & Replication 9.5, please upgrade to a supported product version.
-
Temporary mitigation of the vulnerabilities: Stop and disable the Veeam Distribution Service. The Veeam Distribution Service is installed on the Veeam Backup & Replication server and servers specified as distribution servers in Protection Groups.
More information
These vulnerabilities were reported by Nikita Petrov (Positive Technologies).
Subscribe to our free daily newsletter
