A critical vulnerability in Veeam Software’s data backup and recovery solution has been patched by the company earlier this week, but the security firm Tenable has already published a proof-of-concept (PoC) exploit for the flaw.
The flaw, tracked as CVE-2021-27085, has been publicly disclosed by Tenable before the official patch was released by Veeam. The security firm said its researchers had tried to keep the bug private but they decided to go public with their findings due to the lack of response from the vendor.
Veeam has confirmed the security hole and it has attributed it to a “legacy issue in the code of our 2006 product.” The company has advised customers to apply the update as soon as possible.
Impact of the Vulnerability
The vulnerability affects Veeam Availability Suite v9, Veeam Backup & Replication v10, and the Veeam Agents v2, according to Veeam. The company believes the flaw is “not exploitable for remote code execution” and that abuse is difficult as it requires “local elevation of privilege exploits on the backup server.”
However, Tenable’s PoC exploit shows that a local attacker can leverage the flaw to crash legitimate backup jobs and then move laterally to other systems within the organization’s network.
The PoC exploit had been tested by Tenable on Veeam Availability Suite v9, Veeam Backup & Replication v10, and Veeam Agents v2 running on Microsoft Windows 6.1. It’s worth noting that Tenable has released its PoC exploit on GitHub, so anyone, including malicious actors, can modify it and increase its effectiveness.
Veeam’s patch is available on the company’s website. It updates the Windows Backup Service to address the vulnerability, which is triggered when the service uses a specially crafted request with an invalid memory address.
The patch is available even for those who use very old versions of the company’s software, including Veeam Availability Suite v9, Veeam Backup & Replication v10, and Veeam Agents v2.
Organizations that have not applied the update and cannot do so immediately can protect themselves against any potential attack by disabling the Windows Backup Service. Veeam says this can be done by navigating to the “Services” console and setting the startup type of “Veeam Backup Service” to “disabled.”
Organizations that have not yet applied Veeam’s patch for the CVE-2021-27085 vulnerability should do so as soon as possible, or at least disable the Windows Backup Service. If you found this article helpful, share it on your social media to help spread the word about the vulnerability.