Veeam urges “immediate” updates after vulnerability exposes backup hosts

This may generate a lot of Black Hat interest...

Veeam has warned users to update immediately after fixing a vulnerability that allows an unauthenticated user to request encrypted credentials – which may, as the disaster recovery and data protection software provider warns – “lead to gaining access to the backup infrastructure hosts.” (It's not quite as bad as it sounds; read on.)

“This affects all Veeam Backup & Replication versions. We have developed patches for V11 and V12 to mitigate this vulnerability and we recommend you update your installations immediately” Veeam told customers, saying that the bug, CVE-2023-27532, was reported via its vulnerability disclosure programme.

It credited security researcher “Shanigen”.

Veeam said on March 7: “If you use an earlier Veeam Backup & Replication version, please upgrade to a supported version first. If you use an all-in-one Veeam appliance with no remote backup infrastructure components, you can alternatively block external connections to port TCP 9401 in the backup server firewall as a temporary remediation until the patch is installed. The patch must be installed on the Veeam Backup & Replication server.

The vulnerable process is Veeam.Backup.Service.exe, which listens on TCP 9401 by default.

VEEAM has released a patch to resolve the vulnerability for the following builds:

12 (build 12.0.0.1420 P20230223)
11a (build 11.0.1.1261 P20230227)

Join peers following The Stack on LinkedIn

Versions installed using ISO images 20230223 (V12) and 20230227 (V11) or later are not vulnerable.

Veeam is a huge provider of backup services – it names over 450,000 customers globally including 81% of the Fortune 500 and 70% of the Global 2000 – making it a compelling target. Threat actors will no doubt be looking to reverse engineer the patch in order to assess how to exploit the vulnerability in the very near future.

The Veeam vulnerability has the (perhaps surprisingly modest) CVSS of 7.5.

The may be because although the bug sounds troubling, users with their Veeam environment properly configured, for example in an isolated network/subnet and with a properly configured firewall should only have the port in question opened to other Veeam servers; so whilst it might be useful to move laterally in Veeam, you’d have to have already cracked another Veeam server to make effective use of it as a hacker.

Configuration mishaps or a cavalier approach to internet-exposure are not, of course, uncommon.

Veeam's advisory, KB442, is here.

Veeam vulnerability warning follows server backup attacks

Backup software is a big target. The Veeam vulnerability warning comes days after CISA warned that server backup software from ConnectWise was being exploited in the wild by  attackers,  who were using the vulnerable software agent to tailgate into other servers that were being backed up; effectively surfing backwards from backup systems to live environments from which they can steal critical data or drop malware as they choose.

Most companies affected by that vulnerability (CVE-2022-36537) rapidly patched or pulled exposed interfaces offline – there were 4,738 instances exposed at the initial time of disclosure in October 2022.

Researchers at FOX-IT said in a February 22 blog that as of early this year they could still identify 286 servers running vulnerable versions of the software. The Stack noted that at least one of those was a UK provider of critical IaaS services to the financial sector. (When contacted the company initially denied knowledge of the exposure and then insisted that the three servers publicly exposed were honeypots.)

Back in November 2022 meanwhile Oracle also warned that its Oracle Secure Backup suite was exposed to an “easily exploitable vulnerability [that] allows unauthenticated attacker with network access via HTTP to compromise [and] takeover [the product]”, giving the pre-auth RCE vulnerability a critical CVSS of 9.8.

Like the ConnectWise vulnerability (which affects its R1Soft Server Backup Manager software) Oracle’s bug had its roots in an upstream open source component. The R1Soft bug stemmed from an issue  in the open source ZK Java framework. The Oracle backup vulnerability meanwhile had its roots in CVE-2022-31813.

That’s a bug in Apache HTTP Server 2.4.53 and earlier. The vulnerability exists because Apache HTTPD mod_proxy between versions 2.2.1 and 2.4.53, does not fill the X-Forwarded headers when those are listed as hop-by-hop. Applications hosted behind it can misunderstand the real client’s IP address or requested hostname. (The bug, first reported in June 2022 and written about in detail by security researchers at Synacktiv who reported it, affected numerous downstream software products that rely on Apache HTTP Server.)

See also: 119 new AWS services in just 30 words each