Veeam fixes bug that lets hackers breach backup infrastructure

Veeam urged customers to patch a high-severity Backup Service security vulnerability impacting its Backup & Replication software.

The flaw (tracked as CVE-2023-27532) was reported in mid-February by a security researcher known as Shanigen, and it affects all Veeam Backup & Replication (VBR) versions.

Unauthenticated attackers can exploit it to access backup infrastructure hosts after obtaining encrypted credentials stored in the VeeamVBR configuration database.

According to Veeam's advisory, the root cause behind this flaw is the Veeam.Backup.Service.exe (which runs on TCP 9401 by default) that allows unauthenticated users to request encrypted credentials.

"We have developed patches for V11 and V12 to mitigate this vulnerability and we recommend you update your installations immediately," the company said in an email sent to customers on Tuesday.

"If you are not the current manager of your Veeam environment, please forward this email to the proper person."

The company released security updates addressing this vulnerability for VBR V11 and V12, with customers using older releases being advised to update to one of these two supported products first.

Workaround also available

Veeam also provides a temporary fix for customers who can't immediately deploy this week's CVE-2023-27532 patches.

To block the attack vector and secure vulnerable servers against potential exploitation attempts, you can also block external connections to port TCP 9401 using the backup server firewall.

However, it's important to note that this workaround should only be used in non-distributed Veeam environments since it will also affect the mount servers' connections to the VBR server.

"When a vulnerability is disclosed, attackers will reverse-engineer patches to understand the vulnerability and exploit one on an unpatched version of software," Veeam warned.

"This underlines the importance of ensuring all your systems use the latest versions of all your deployed software, and patches are installed in a timely manner."

Veeam says its backup, disaster recovery, and data protection software is being used by over 450,000 customers worldwide, including 82% of Fortune 500 companies and 72% of the ones in the Global 2,000.