Four new vulnerabilities in the Veeam Backup Enterprise Manager software, ranging in threat scale rating of 2.7 to 9.8 (out of 10), have recently been announced and patched. The most serious of these vulnerabilities, tracked as CVE-2024-29849 (CVSS score: 9.8), allows unauthenticated attackers to log in to the Veeam Backup Enterprise Manager web interface as any user. The other vulnerabilities are as follows:
CVE-2024-29850 (CVSS score: 8.8) – Allows account takeover via NTLM relay.
CVE-2024-29851 (CVSS score: 7.2) – Allows a high-privileged user to steal the NTLM hash of the Veeam Backup Enterprise Manager service accounts.
CVE-2024-29852 (CVSS score: 2.7) – Allows a privileged user to read backup session logs.
There is a new release of the Enterprise Manager (12.1.2.172) that addresses all four of these vulnerabilities. Veeam also mentions this vulnerability can be mitigated by halting the Veeam Backup Enterprise Manager software.
To do this, stop and disable the following services:
VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager)
VeeamRESTSvc (Veeam RESTful API Service)
NOTE: Do not stop the Veeam Backup Server RESTful API Service.
If your organization’s instance of Enterprise Manager is currently accessible via the world wide web, it is recommended that access be terminated until the software can be updated.
For more information, please see the original advisory issued by Veeam: https://www.veeam.com/kb4581