Vulnerability in Veeam Backup & Replication - March 2023


Userlevel 7
Badge +13

Veeam has just informed it’s customers about an existing vulnerability in Veeam Backup & Replication. Unauthorized users may be able to request encrypted credentials from the VBR service, and therefore get access to the backup infrastructure. The KB articles haven’t received updates so far, but the vulnerability did get a CVSSv3 score of 7.5.

EDIT: The KB article has just been published: KB4424

It’s recommended to patch VBR as soon as possible!

Solution

Patches have been released for VBR V11 and V12. Please keep in mind that older releases are also affected, but no longer get fixes. So you need to upgrade your installation to a supported release.

Workaround

As a temporary workaround you can block access to TCP port 9401 on your Veeam Backup & Replication server. This will affect the connection of mount servers to the VBR server, so only use this if you don’t have a distributed Veeam environment. And still apply the patch as soon as possible.

Note about recent deployments

If you have recently deployed V11 or V12 then check the ISO image you’ve used for the installation. 20230227 (V11) and 20230223 (V12) already contain the patches and so aren’t vulnerable anymore.


60 comments

Userlevel 7
Badge +20

Nice to see they patched this one.  Have deployed in my homelab without issues.

Userlevel 7
Badge +7

I checked KB4245, and the build number does not match the email.

It should be 11.0.1.1261 P20220302, not P20230227. It seems the same as last year's release.

 

Userlevel 7
Badge +13

@CarySun The KB article hadn't been updated until now and did show the old build number. I'll update my post.

Userlevel 7
Badge +12

I checked KB4245, and the build number does not match the email.

It should be 11.0.1.1261 P20220302, not P20230227. It seems the same as last year's release.

 

Thank you.
I forwarded the feedback. We will update it.

Userlevel 7
Badge +7

These are the correct KBs.

V11a: https://www.veeam.com/kb4424

V12: https://www.veeam.com/kb4420

 

Userlevel 7
Badge +7

Nice! Veeam corrected the KB4245 contents.

 

Userlevel 7
Badge +20

Nice! Veeam corrected the KB4245 contents.

 

Yeah I have been watching the KBs so nice to see the change.

Userlevel 7
Badge +7

Another round of upgrades.. 😅🙁

Userlevel 2

Hi,

Bit confused about the different versions. I’m in the process of pathcing my v11a, after patching can you please tell me exactly what the version on the help=>about should read that i know it is the patched one and i’m all good to go ?

thanks

Userlevel 7
Badge +7

Hi Vassilis, for v11 build number will be 11.0.1.1261 P20230227

 

https://www.veeam.com/kb4245

 

If you are upgrading to v12, the version will be 12.0.0.1420 P20230223

 

https://www.veeam.com/kb4420

Userlevel 2

Hi Vassilis, for v11 build number will be 11.0.1.1261 P20230227

 

https://www.veeam.com/kb4245

 

If you are upgrading to v12, the version will be 12.0.0.1420 P20230223

 

https://www.veeam.com/kb4420

 

Thanks marco,

 

 

So i’m good ??? i have nothing to be fear off, let the hackers try 🤣

Userlevel 7
Badge +13

Looks good, so at least you don't have to fear this certain vulnerability anymore 😉

Userlevel 7
Badge +10

First patching

 

Userlevel 7
Badge +20

Patching v12 is all good in my homelab no issues.  Patch planning for our v11a environment is now in progress before we upgrade to v12.  😁

Userlevel 3
Badge

Hello everybody,

I’m having issues with one of the v11 installations after applying the patch, with errors like:

Failed to preprocess target Error: Field not found: 'Veeam.Backup.Common.COptions.RetrieveCertUseTls12Only'.  

 

Patching on other infrastructures (both v11 and v12) went smoothly.

Anyone else experiencing the same behaviour?

Userlevel 2

ΤΥη

Hello everybody,

I’m having issues with one of the v11 installations after applying the patch, with errors like:

Failed to preprocess target Error: Field not found: 'Veeam.Backup.Common.COptions.RetrieveCertUseTls12Only'.  

 

Patching on other infrastructures (both v11 and v12) went smoothly.

Anyone else experiencing the same behaviour?

The error says about tls1.2 , mayb your specific server does not allow tls 1.2, can you check with crypto and see the protocols enabled around your B&R infra.

 

I would strongly suggest to open a support ticket though.

Userlevel 3
Badge

ΤΥη

Hello everybody,

I’m having issues with one of the v11 installations after applying the patch, with errors like:

Failed to preprocess target Error: Field not found: 'Veeam.Backup.Common.COptions.RetrieveCertUseTls12Only'.  

 

Patching on other infrastructures (both v11 and v12) went smoothly.

Anyone else experiencing the same behaviour?

The error says about tls1.2 , mayb your specific server does not allow tls 1.2, can you check with crypto and see the protocols enabled around your B&R infra.

 

I would strongly suggest to open a support ticket though.

 

Thank you @Vassilis, already opened SR #05922394 with high Severity.

Of course needless to say that this infrastructure worked correctly before the patch was applied, and that no other change was introduced in the meanwhile (I also refrained from applying a couple OS updates pending, that are already scheduled for next week).

Seems like somethings’ awry on the DB (“Field not found”…?!).

Userlevel 7
Badge +20

ΤΥη

Hello everybody,

I’m having issues with one of the v11 installations after applying the patch, with errors like:

Failed to preprocess target Error: Field not found: 'Veeam.Backup.Common.COptions.RetrieveCertUseTls12Only'.  

 

Patching on other infrastructures (both v11 and v12) went smoothly.

Anyone else experiencing the same behaviour?

The error says about tls1.2 , mayb your specific server does not allow tls 1.2, can you check with crypto and see the protocols enabled around your B&R infra.

 

I would strongly suggest to open a support ticket though.

 

Thank you @Vassilis, already opened SR #05922394 with high Severity.

Of course needless to say that this infrastructure worked correctly before the patch was applied, and that no other change was introduced in the meanwhile (I also refrained from applying a couple OS updates pending, that are already scheduled for next week).

Seems like somethings’ awry on the DB (“Field not found”…?!).

I am guessing it is not the SSL expired by chance.  Since the error RetrieveCertUseTls12Only has that in it.  Hopefully support gets it sorted out for you.

Userlevel 7
Badge +11

Silly question here:

After apply patch on v11, if I update VBR to V12…

Need I apply patch again?

 

Userlevel 3
Badge

Silly question here:

After apply patch on v11, if I update VBR to V12…

Need I apply patch again?

 

Hello @wolff.mateus,

no you don’t if you used the already-updated ISO for the upgrade.

 

The KB4424 specifies:
All new deployments of Veeam Backup & Replication versions 12 and 11 installed using the ISO images dated 20230223 (V12) and 20230227 (V11) or later are not vulnerable.

 

Userlevel 7
Badge +20

Silly question here:

After apply patch on v11, if I update VBR to V12…

Need I apply patch again?

 

I am going to assume the ISO for v12 will include the patch like they did with v11a.  So, the upgrade should have the patch.

Userlevel 3
Badge

ΤΥη

Hello everybody,

I’m having issues with one of the v11 installations after applying the patch, with errors like:

Failed to preprocess target Error: Field not found: 'Veeam.Backup.Common.COptions.RetrieveCertUseTls12Only'.  

 

Patching on other infrastructures (both v11 and v12) went smoothly.

Anyone else experiencing the same behaviour?

The error says about tls1.2 , mayb your specific server does not allow tls 1.2, can you check with crypto and see the protocols enabled around your B&R infra.

 

I would strongly suggest to open a support ticket though.

 

Thank you @Vassilis, already opened SR #05922394 with high Severity.

Of course needless to say that this infrastructure worked correctly before the patch was applied, and that no other change was introduced in the meanwhile (I also refrained from applying a couple OS updates pending, that are already scheduled for next week).

Seems like somethings’ awry on the DB (“Field not found”…?!).

I am guessing it is not the SSL expired by chance.  Since the error RetrieveCertUseTls12Only has that in it.  Hopefully support gets it sorted out for you.

Thank you @Chris.Childerhose,

support refers of a known issue with v11 that I’ve incurred into, and at first recommends upgrading to v12 (which can’t currently be done due to missing Azure plug-in for v12).

Userlevel 7
Badge +8

Silly question here:

After apply patch on v11, if I update VBR to V12…

Need I apply patch again?

 

It depends when you downloaded the ISO for V12, it if was before yesterday you will need to download the patch. https://www.veeam.com/kb4420

 

Userlevel 7
Badge +7

I just finished a project and I already have to patch it! Glad to see the responsiveness of Veeam to fix this vulnerability

Userlevel 7
Badge +13

I just finished a project and I already have to patch it! Glad to see the responsiveness of Veeam to fix this vulnerability

I also today updated environments, which I had upgraded just last week. That’s life 😉

@pgallenga Where do you get this error?

Comment