Overview

A critical vulnerability has been discovered in Veeam Backup Enterprise Manager (VBEM), a web-based platform that enables administrators to manage Veeam Backup & Replication installations via a single web console. This flaw, identified as CVE-2024-29849 and rated with a CVSS score of 9.8, allows unauthenticated attackers to sign into any account through the VBEM interface. While VBEM is not enabled by default, environments where it is active are susceptible to this severe security issue.

The following vulnerabilities have been disclosed:

  • CVE-2024-29849 (CVSS score: 9.8): An authentication bypass vulnerability in VBEM that allows unauthenticated attackers to log in to the web interface as any user. This vulnerability poses a high risk due to its potential for unauthorised access and control over backup operations.

In addition to CVE-2024-29849, two high-severity vulnerabilities have also been addressed:

  • CVE-2024-29850: Allows account takeover via NTLM relay.
  • CVE-2024-29851: Enables high-privileged users to steal the Veeam Backup Enterprise Manager service account’s NTLM hash if not configured to run as the default Local System account.

Affected Devices

  • BIG-IP Next Central Manager: Versions 20.0.1 to 20.1.0
  • Severity: High
  • CVSSv3 Score: 7.5

Recommended Remediations

o mitigate the risks posed by these vulnerabilities, CTRL strongly recommends the following actions:

  1. Immediate Update: Upgrade to VBEM version 12.1.2.172 to apply the necessary patches that address these vulnerabilities.
  2. Temporary Workarounds:
    • Stop and Disable Services: If immediate upgrading is not feasible, stop and disable the VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager) and VeeamRESTSvc (Veeam RESTful API) services.
    • Uninstall VBEM: If the Veeam Backup Enterprise Manager is not in use, uninstall it to eliminate the attack vector. Follow the instructions provided by Veeam for uninstallation.