Veeam has released security patches to fix two critical vulnerabilities, tracked as CVE-2022-26500 and CVE-2022-26501 (CVSS score of 9.8), impacting the Backup & Replication solution for virtual environments.
The solution implements data backup and restore capabilities for virtual machines running on Hyper-V, vSphere, VMware, Windows & Linux servers, laptops, NAS and more
A remote, unauthenticated attacker could exploit both issues to execute arbitrary code potentially leading to a complete takeover of the target system.
“Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system.” reads the advisory published by the company. “The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code.”
The flaws reside in the Veeam Distribution Service that allows unauthenticated users to access internal API functions. The two vulnerabilities were reported by Nikita Petrov from Positive Technologies.
CVE-2022-26504 impacts the component used for Microsoft System Center Virtual Machine Manager (SCVMM) integration. An attacker without administrative domain credentials could achieve remote code execution by exploiting this issue.
CVE-2022-26503 impacts Veeam Agent for Microsoft Windows, it could be exploited by an attacker to elevate privileges and run arbitrary code as LOCAL SYSTEM.
Both issues impact Veeam Backup & Replication versions 9.5, 10, and 11, unfortunately, security patches for versions 9.5 are not available.
The vendor recommends disabling the Veeam Distribution Service as temporary mitigation.
(SecurityAffairs – hacking, RCE)