A critical security vulnerability has been detected in Veeam Backup Enterprise Manager (VBEM), posing significant threats to organizations utilizing this software. Known as CVE-2024-29849, this flaw enables unauthorized individuals to bypass authentication protocols and gain illicit entry to the VBEM web interface. Given its CVSS score of 9.8, this matter necessitates prompt attention and intervention from impacted users.

Technical Information
Veeam Backup Enterprise Manager serves as a centralized management tool intended to simplify the oversight of Veeam Backup & Replication environments. The vulnerability CVE-2024-29849 exploits deficiencies in the web interface’s authentication mechanism, enabling attackers to log in as any user without requiring valid credentials. This critical vulnerability impacts VBEM versions ranging from 5.0 to 12.1.

In conjunction with CVE-2024-29849, three additional vulnerabilities have been identified and resolved:

  • CVE-2024-29850: This vulnerability, with a CVSS score of 8.8, permits attackers to seize control of accounts through NTLM relay attacks.
  • CVE-2024-29851: Possessing a CVSS score of 7.2, this flaw allows highly privileged users to pilfer the NTLM hash of the Veeam Backup Enterprise Manager service account, provided it is not set to operate as the default Local System account.
  • CVE-2024-29852: This less severe issue, boasting a CVSS score of 2.7, enables high-privileged users to peruse backup session logs.

Affected Products
All versions of Veeam Backup Enterprise Manager up to version 12.1.2.172 are impacted by these vulnerabilities. However, it is important to note that the installation of VBEM is optional, and systems without VBEM installed are not affected.

Mitigation and Recommendations
To address these vulnerabilities, Veeam has released version 12.1.2.172. It is strongly recommended that users upgrade to this latest version in order to protect their systems from potential exploitation. For those unable to immediately perform the upgrade, Veeam advises stopping the VBEM services to mitigate the risks. The following services should be halted and disabled:

1. VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager)
2. VeeamRESTSvc (Veeam RESTful API Service)

If VBEM is not actively used, it can be uninstalled to completely remove the attack vector. Additionally, if VBEM is installed on a dedicated server, it is possible to upgrade VBEM independently of Veeam Backup & Replication.

Broader Security Context
While there have been no reports of these specific vulnerabilities being exploited in the wild, cybercriminals have targeted similar vulnerabilities in Veeam products in the past. For instance, the FIN7 group and Cuba ransomware affiliates leveraged the CVE-2023-27532 vulnerability in Veeam Backup & Replication for financially motivated attacks. These instances emphasize the importance of promptly addressing security flaws in backup management software to prevent potential breaches and ransomware attacks.

Conclusion
The discovery of the CVE-2024-29849 vulnerability in Veeam Backup Enterprise Manager highlights the critical need for timely software updates and robust security practices. Organizations utilizing VBEM should prioritize upgrading to the latest version to mitigate the risk of unauthorized access and ensure the integrity of their backup management systems. As cyber threats continue to evolve, maintaining up-to-date software and implementing proactive security measures remain essential for safeguarding sensitive data.