• EN

⚠️ Fixed Veeam CVE-2022-26500 & CVE-2022-26501 are being exploited (CISA)

  • 18 December 2022
  • 5 comments
  • 781 views
regnor
Userlevel 7
Badge +14

It shouldn’t be news to you that Veeam B&R had 2 critical vulnerabilities (CVSS 9.8/8.8) in March 2022. Patches were released for v10a and v11a at that time.

Here’s the corresponding KB article and a post from @Iams3le:

Veeam KB4288

If you haven’t updated yet, then here’s another good reason.

Last week the Cybersecurity & Infrastructure Security Agency (CISA) added both vulnerabilites to their known exploit catalog. This means that attackes are now actively exploiting the vulnerabilities and targeting environments which use Veeam B&R.

CISA Known Exploited Vulnerabilites Catalog

 

I hope you don’t need more reasons to keep your Veeam installation up-to-date? Please also keep in mind that any other Veeam build below v10 is also affected. But as those are already End of Fix/Support, they didn’t receive any patches.

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard

5 comments

Chris.Childerhose
Userlevel 7
Badge +20

Time to get patching if you have not already.  We patched as soon as these came out.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Link State
Userlevel 7
Badge +7

all my Veeam Infrastructures are patched to the latest version 11a (build 11.0.1.1261 P20220302), I wait 2 months before installing it. :) ;) 

Veeam: VMCA | VMCE | VMXP | Veeam Legend - Microsoft: MCITP | MCP | MCSA | 2008 R2 | 2012R2 | 2016 | MCSE Core Infrastructure | MCSE Cloud Platform - Azure: AZ900 | AZ104 - VMWare: VCP-DCV Vsphere 7.x - Cisco: CCNA (Expired)
dips
Userlevel 7
Badge +7

Time to get patching if you have not already.  We patched as soon as these came out.

Same here. Patched as soon as we were made aware. 

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2023 | www.dipen.co.uk
edison5000
Badge

I am confused by the above comment from Link, vs kb4288.


The kb indicates that 11a itself (11.01.1261.P20220302) does not include the patch for these vulns. So just having 11a does not do the job. Correct? Our warning from DoD says 

Patches are available for Veeam Backup and Replication version 11a (build 11.0.1.1261 P20220302) and version 10a (build 10.0.1.4854 P20220304).5 Veeam does not intend to release a fix for 9.5 and advises users to upgrade to a supported version.”

 

thanks!

Chris.Childerhose
Userlevel 7
Badge +20

I am confused by the above comment from Link, vs kb4288.


The kb indicates that 11a itself (11.01.1261.P20220302) does not include the patch for these vulns. So just having 11a does not do the job. Correct? Our warning from DoD says 

Patches are available for Veeam Backup and Replication version 11a (build 11.0.1.1261 P20220302) and version 10a (build 10.0.1.4854 P20220304).5 Veeam does not intend to release a fix for 9.5 and advises users to upgrade to a supported version.”

 

thanks!

The comment from Link and KB URL does indicate that these are patched in the build referenced for 11a and v10a.  Anything below this is not patched.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech

Comment


Terms & Conditions