research

SecurityTrails Blog · Aug 12 · by Gianni Perez, German Hoeffner and Aaeron Soehnen

Slipping Under the Radar: CVE-2022-26501 - Veeam Unauthenticated RCE

Reading time: 5 minutes
Listen to this article

Veeam Software, a global leader in data backup, replication, and disaster recovery solutions, recently disclosed a series of software vulnerabilities affecting the Veeam Distribution Service (VDS) of its flagship Veeam Backup Server line of products.

Officially known as CVE-2022-26500 and CVE-2022-26501, this critical vulnerability duo (exhibiting a combined CVSS score of 9.9) may allow unauthenticated users to perform Remote Code Execution (RCE) spanning versions 9.5, 10, and 11, of the Veeam Backup & Replication software suite.

More concisely, threat actors would be able to gain initial access by interacting with a specific set of vulnerable API components, leading up to attacks ranging from shell implants to denial-of-service conditions, in certain cases. Although access to the internal network is required, the ease of exploitation is relatively low, as unrestricted access to TCP 9380 (with default settings) is all that is required. However, VDS can be found (installed) by default on the Veeam Backup Server, and not just on the Distribution Server—if this server happens to have or share a public IP address, chances are VDS has been inadvertently exposed to the internet during the initial setup when the port was first opened.

Proof of concept

When we tested CVE-2022-26501 (for versions 10 and 11), the exploit (see below) essentially allowed anyone to connect and interact with the service as advertised.

Proof of concept

In v11, for instance, a prior path name validator check was also removed; so, combined with the absence of access controls, one can effectively copy files from remote instances (e.g., source:evilserver\\trojan.exe destination:C:\trojan.exe). Similar approaches include the ability to upload files (think Veeam backup files) to a remote location, or even logs containing infrastructure details and other sensitive information.

Vulnerable instances report

When the vulnerability became publicly known in April of this year, we partnered with LeakIX, a vulnerability scanning platform, conducting two internet-wide scans (once in April, and once again in June) in search for exploitable endpoints. The first scan uncovered 5,100 vulnerable instances, while the second scan found yet another 3,500 instances, suggesting that, during this timeframe, only a little over 30% of hosts had been patched.

Veeam instances associated with large providers like Hetzner or OVH performed a little worse (at a patching level of only 26%), while smaller organizations—with at most two hosts—fared a little better, showing an estimate of 40% of patched systems.

Veeam instaces by hoster

Furthermore, we couldn’t find any examples of any type of organization having publicly exposed (or centralized) Veeam infrastructure, as there were no relevant cases where either all or none of the instances had been patched. In all, most of the discovered instances were located in the US, Germany, and France—with all these countries performing approximately the same when it came to updating/patching the instances.

Veeam instaces by contry

In a similar context, below are the same countries, but with the instances weighted per capita. The high prevalence in Germany, France, and especially Finland, is due to Hetzner and OVH operating large data centers in these areas. Although at a lower rate, Veeam also seems to be popular in countries like Canada or the Netherlands, while being less popular in the US.

Veeam instaces per capita

Wrapping up

In summary, the vulnerability details are as follows:

Confidentiality Impact Complete (There is total information disclosure, resulting in all system files being revealed).
Integrity Impact Complete (There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised).
Availability Impact Complete (There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable).
Access Complexity Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit).
Authentication Not required (Authentication is not required to exploit the vulnerability).
Gained Access Complete (Can result in lateral movement if VDS is fully compromised, as the Veeam database with credentials to any backed-up infrastructure is present on the server).

(Source: https://www.cvedetails.com/cve/CVE-2022-26501/)

In an effort to contain the vulnerability, Veeam has issued a few guiding notes and recommendations:

  • New deployments of Veeam Backup & Replication 10a or 11a using downloaded ISO images dating after March 2022 aren’t affected by this vulnerability.
  • As of now, however, two patches for versions 10a and 11a are immediately available and ready to be installed on the Veeam Backup & Replication Server side; if you’re using v9.5, Veeam highly suggests upgrading to a supported product version as no patch seems to be available for it.
  • If patching isn’t an option at any given moment, Veeam suggests stopping and disabling VDS as a temporary measure.

Finally, as we continue to prioritize risk reduction using our latest guiding feature, Risk Rules, our Attack Surface Intelligence (ASI) platform is uniquely positioned to give your organization forefront visibility into low-key CVEs such as 26500/501, helping you take any attack surface reduction initiative to the next level.

Rules by issue

Paired with a continuous, round-the-clock visibility of every public-facing asset and application there is, emerging threats can now be quickly targeted and remediated, assisted by the latest in vulnerability scanning technology. In the same manner, alerting capabilities can be leveraged to steer security teams towards any potential (or similar) exposures, should any vulnerable asset come online without adequate oversight.

Gain the upper hand over any threat actor out there today, and see for yourself how Attack Surface Intelligence enhances long-held standards, like CVEs, in the struggle to safeguard the modern digital enterprise.

Gianni Perez Blog Author
GIANNI PEREZ

Gianni is a technical writer at SecurityTrails and adjunct college cybersecurity instructor with over two decades of infosec experience. He knows firsthand the demands security professionals face, and draws upon his knowledge of IT systems - from administration and software dev, as well as automation, to provide valuable security insights that make a real difference.

X