{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-019.pdf"
    },
    "title": "Multiple Critical Vulnerabilities in Veeam",
    "serial_number": "2022-019",
    "publish_date": "21-03-2022 17:14:00",
    "description": "On 12/03/2022 Veeam has published multiple critical vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam products which allow remote code execution without authentication. This vulnerability may lead to gaining control over the targeted system. The publication was last modified by Veeam on 18/03/2022.",
    "url_title": "2022-019",
    "content_markdown": "---\ntitle: 'Multiple Critical Vulnerabilities in\u00a0Veeam'\nversion: '1.0'\nnumber: '2022-019'\ndate: 'March 21, 2022'\n---\n\n_History:_\n\n* _21/03/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn 12/03/2022 Veeam has published multiple critical vulnerabilities (CVE-2022-26500, CVE-2022-26501) [2, 3] in Veeam products which allow remote code execution without authentication. This vulnerability may lead to gaining control over the targeted system. The publication was last modified by Veeam on 18/03/2022 [1].\n\n\n# Technical Details\n\nThe Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may allow unauthenticated users to upload and execute malicious code on the affected products.\n\n# Affected Products\n\nAccording to Veeam the affected products are:\n\n- Veeam Backup & Replication 9.5\n- Veeam Backup & Replication 10\n- Veeam Backup & Replication 11\n\nHowever, all new deployments of Veeam Backup & Replication version 11a and 10a installed using the ISO images dated 20220302 or later are not vulnerable [1].\n\n\n# Recommendations and Mitigations\n\nCERT-EU recommends following the specific steps listed for each of the following version of the product:\n\nPatches are available for the following product versions [1]:\n\n- Veeam Backup & Replication 11a (build 11.0.1.1261 P20220302)\n- Veeam Backup & Replication 10a (build 10.0.1.4854 P20220304)\n\nThere is no patch for the Veeam Backup & Replication 9.5, because the support of the product has ended on January 2022 [4]. Veeam suggests upgrading to supported versions of the product [5].\n\nAs a temporary mitigation of the vulnerabilities it is suggested by Veeam to stop and disable the Veeam Distribution Service. The Veeam Distribution Service is installed on the Veeam Backup & Replication server and servers specified as distribution servers in Protection Groups.\n\n# References\n\n[1] <https://www.veeam.com/kb4288>\n\n[2] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26500>\n\n[3] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26501>\n\n[4] <https://www.veeam.com/product-lifecycle.html>\n\n[5] <https://helpcenter.veeam.com/docs/backup/vsphere/upgrade_vbr.html?ver=110>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>21/03/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On 12/03/2022 Veeam has published multiple critical vulnerabilities (CVE-2022-26500, CVE-2022-26501) [2, 3] in Veeam products which allow remote code execution without authentication. This vulnerability may lead to gaining control over the targeted system. The publication was last modified by Veeam on 18/03/2022 [1].</p><h2 id=\"technical-details\">Technical Details</h2><p>The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may allow unauthenticated users to upload and execute malicious code on the affected products.</p><h2 id=\"affected-products\">Affected Products</h2><p>According to Veeam the affected products are:</p><ul><li>Veeam Backup &amp; Replication 9.5</li><li>Veeam Backup &amp; Replication 10</li><li>Veeam Backup &amp; Replication 11</li></ul><p>However, all new deployments of Veeam Backup &amp; Replication version 11a and 10a installed using the ISO images dated 20220302 or later are not vulnerable [1].</p><h2 id=\"recommendations-and-mitigations\">Recommendations and Mitigations</h2><p>CERT-EU recommends following the specific steps listed for each of the following version of the product:</p><p>Patches are available for the following product versions [1]:</p><ul><li>Veeam Backup &amp; Replication 11a (build 11.0.1.1261 P20220302)</li><li>Veeam Backup &amp; Replication 10a (build 10.0.1.4854 P20220304)</li></ul><p>There is no patch for the Veeam Backup &amp; Replication 9.5, because the support of the product has ended on January 2022 [4]. Veeam suggests upgrading to supported versions of the product [5].</p><p>As a temporary mitigation of the vulnerabilities it is suggested by Veeam to stop and disable the Veeam Distribution Service. The Veeam Distribution Service is installed on the Veeam Backup &amp; Replication server and servers specified as distribution servers in Protection Groups.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.veeam.com/kb4288\">https://www.veeam.com/kb4288</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26500\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26500</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26501\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26501</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.veeam.com/product-lifecycle.html\">https://www.veeam.com/product-lifecycle.html</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://helpcenter.veeam.com/docs/backup/vsphere/upgrade_vbr.html?ver=110\">https://helpcenter.veeam.com/docs/backup/vsphere/upgrade_vbr.html?ver=110</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}