How to find Veeam software on your network

Updated

Latest Veeam vulnerabilities: (Backup & Replication, Agent for Linux, ONE, Service Provider Console, Backup for Nutanix AHV, Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization products) #

Veeam has disclosed multiple vulnerabilities for several of their products including Veeam Backup & Replication, Veeam ONE, Veeam Service Provider Console, Veeam Agent for Linux, Veeam Backup for Nutanix AHV, Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization.

Veeam Backup & Replication #

  • CVE-2024-40711 is rated critical, with a CVSS score of 9.8, and allows an authenticated attacker to execute arbitrary code.
  • CVE-2024-40713 is rated high, with a CVSS score of 8.8, and allows a user assigned a low-privileged role to configure and bypass MFA settings.
  • CVE-2024-40710 is rated high, with a CVSS score of 8.8, and allows an attacker or malicious user to execute arbitrary code as the service account and retrieve sensitive information from the system.
  • CVE-2024-39718 is rated high, with a CVSS score of 8.1, and allows a low-privileged user to remotely remove system files.
  • CVE-2024-40714 is rated high, with a CVSS score of 8.3, and allows an attacker MiTM access during restore operations.
  • CVE-2024-40712 is rated high, with a CVSS score of 7.8, and allows a low-privileged user account local access to the system to perform local privilege escalation.

Veeam Agent for Linux #

  • CVE-2024-40709 is rated high, with a CVSS score of 7.8, and allows root privilege escalation from a local low-privileged user.

Veeam ONE #

  • CVE-2024-42024 is rated critical, with a CVSS score of 9.1, and allows an attacker with service account credentials the ability to execute arbitrary code.
  • CVE-2024-42019 is rated critical, with a CVSS score of 9.0, and allows an attacker access to the NTLM hash of a service account.
  • CVE-2024-42023 is rated high, with a CVSS score of 8.8, and allows a low-privileged user the ability to remotely execute code with administrator privileges.
  • CVE-2024-42021 is rated high, with a CVSS score of 7.5, and allows an attacker with valid access tokens to access saved credentials.
  • CVE-2024-42022 is rated high, with a CVSS score of 7.5, and allows an attacker the ability to update configuration files.
  • CVE-2024-42020 is rated high, with a CVSS score of 7.3, and allows an attacker HTML injection.

Veeam Backup for Nutanix AHV, 
Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization #

  • CVE-2024-40718 is rated high, with a CVSS score of 8.8, and allows a low-privileged user the ability to perform local privilege escalation.

What is the impact? #

Successful exploitation of some the vulnerabilities listed above could allow an attacker, low-privileged user, or service account the ability to perform arbitrary remote code execution, privilege escalation to varying levels, or read sensitive information in transit within the same network.

Are updates or workarounds available? #

Veeam has issued patches for all affected products. They are available for download in the Solution section of each respective product in the Security Bulletin link above.

How to find potentially vulnerable systems with runZero #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

has:"epm.veeam.agent" OR (tcp_port:9380 tcp_port:10001)

CVE-2022-26500 and CVE-2022-26501 (December 2022) #

In December 2022, Veeam published information on two vulnerabilities in the Veeam Backup & Replication product, originally reported by Nikita Petrov of Positive Technologies.

As of December 16th, CISA had announced the addition of two critical vulnerabilities (tracked as CVE-2022-26500 and CVE-2022-26501) to the KEV catalog. These CVEs were actively being exploited, putting systems at risk. It was critical that these systems were updated to patch these vulnerabilities as soon as possible.

Which versions were affected? #

These vulnerabilities affected Backup & Replication versions 9.5, 10, and 11, allowing for exploitation by attackers to achieve unauthenticated remote code execution via the Veeam Distribution Service API. Details on the vulnerabilities (identified as CVE-2022-26500 and CVE-2022-26501) had not been published at the time of writing, though Veeam had assigned a "critical" CVSS score of 9.8.

Was an update available? #

Patched releases of Veeam Backup & Replication had been made available (see the "Solution" section). Guidance from Veeam was for administrators to update to these newer versions as soon as possible. If near-term updating was not possible, Veeam offered a temporary mitigation strategy via stopping-and-disabling the Veeam Distribution Service (see the "Solution->Notes" section).

How runZero users found potentially vulnerable Veeam instances with runZero #

We added the default port (9380) for the Veeam Distribution Service API to our runZero Explorer and Scanner. If you were using Explorer or Scanner v2.11.5 or later, you just needed to ensure you had performed a recent scan of your assets prior to running the query below. If users were using an older Explorer or Scanner, they could simply add port 9380 to the "Included TCP ports" (under the Advanced tab) and then run a scan to gather the necessary data.

From the Asset Inventory, using the following pre-built query would locate Veeam Distribution Service instances within their network to find potentially vulnerable versions of Veeam Backup & Replication:

tcp_port:9380
Veeam prebuilt query is available in the Queries Library

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Written by runZero Team

Due to the nature of their research and out of respect for their privacy, runZero team members prefer to remain anonymous. Their work is published under the runZero name.

More about runZero Team
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

Rapid Response
How to find SonicWall devices on your network
SonicWall disclosed a vulnerability in their SonicOS management access and SSLVPN products that could lead to unauthorized resource access, runZero...
Rapid Response
How to find D-Link DIR-846W routers on your network
D-Link has disclosed several vulnerabilities regarding their DIR-846W routers. Here's how to find them on your network.
Rapid Response
How to find Zyxel devices on your network
Zyxel disclosed a vulnerability in several Zyxel Wireless Access Point (WAP) and router devices. CVE-2024-7261 is rated extremely critical with...
Rapid Response
How to find AVTECH cameras on your network
Akamai disclosed a 0-day vulnerability in the AVTECH AVM1203 network camera. CVE-2024-7029 is rated high with CVSS score of 8.7.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved