Veeam announced that it recently discovered and fixed a critical vulnerability in its Veeam Backup Enterprise Manager (VBEM).
The vulnerability, tracked as CVE-2024-29849 (via BleepingComputer) is described as an authentication bypass flaw that allows virtually anyone to log into any account on the platform. It has a security score of 9.8 and is considered “critical”.
VBEM is a centralized management and monitoring tool for Veeam Backup & Replication environments. Designed for large-scale or enterprise-scale deployments, it provides a unified interface that allows administrators to manage, monitor, and control backup operations across multiple Veeam Backup & Replication servers.
Fixing more mistakes
It’s also worth noting that VBEM is not enabled by default and not all companies using it are vulnerable. However, everyone is advised to apply the patch as soon as possible.
Those who cannot do so immediately are advised to disable the VeeamEnterpriseManagerSvc and VeeamRESTSvc services. Completely removing Veeam Backup Enterprise Manager is also a viable option. More details can be found at the relevant help page on the company’s website.
The first version not affected by the bug is VBEM 12.1.2.172, as confirmed by the company.
In its latest security advisory, Veeam also said it has patched two additional VBEM flaws, one that allowed account takeover via NTLM relay (tracked as CVE-2024-29850), and one that allows high-privilege users to use the Veeam Backup Enterprise Manager to steal. the NTLM hash of the service account (in scenarios where it is not configured to run as the default local system account). This is maintained as CVE-2024-29851.