• EN

Vulnerability in Veeam Backup & Replication - March 2023

regnor
Userlevel 7
Badge +14

Veeam has just informed it’s customers about an existing vulnerability in Veeam Backup & Replication. Unauthorized users may be able to request encrypted credentials from the VBR service, and therefore get access to the backup infrastructure. The KB articles haven’t received updates so far, but the vulnerability did get a CVSSv3 score of 7.5.

EDIT: The KB article has just been published: KB4424

It’s recommended to patch VBR as soon as possible!

Solution

Patches have been released for VBR V11 and V12. Please keep in mind that older releases are also affected, but no longer get fixes. So you need to upgrade your installation to a supported release.

Workaround

As a temporary workaround you can block access to TCP port 9401 on your Veeam Backup & Replication server. This will affect the connection of mount servers to the VBR server, so only use this if you don’t have a distributed Veeam environment. And still apply the patch as soon as possible.

Note about recent deployments

If you have recently deployed V11 or V12 then check the ISO image you’ve used for the installation. 20230227 (V11) and 20230223 (V12) already contain the patches and so aren’t vulnerable anymore.

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard

60 comments

pgallenga
Userlevel 3
Badge

I just finished a project and I already have to patch it! Glad to see the responsiveness of Veeam to fix this vulnerability

I also today updated environments, which I had upgraded just last week. That’s life 😉

@pgallengaWhere do you get this error?

In every job: backup, backup copy, SOBR, etc.

The only thing still working is the Configuration Backup 😓

regnor
Userlevel 7
Badge +14

Doesn't sound so good. 😐 Did you have any (private) hotfixes installed? Anything special about TLS?

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard
pgallenga
Userlevel 3
Badge

Doesn't sound so good. 😐 Did you have any (private) hotfixes installed? Anything special about TLS?

Working with support to understand the possible outcomes, will update you when we have a solution of sort.

wolff.mateus
Userlevel 7
Badge +11

Silly question here:

After apply patch on v11, if I update VBR to V12…

Need I apply patch again?

 

It depends when you downloaded the ISO for V12, it if was before yesterday you will need to download the patch. https://www.veeam.com/kb4420

 

Perfect!

IT Lover | Veeam Vanguard | VUG Leader | Blogger
C
Userlevel 1

Please advise on roll back options if issues occur during patch?

Chris.Childerhose
Userlevel 7
Badge +20

Please advise on roll back options if issues occur during patch?

If your VBR server is a VM then take a snapshot prior to the patching so you can roll back.  For a physical server you may want to install the Agent and do a backup prior.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
D

Hello everybody,

I’m having issues with one of the v11 installations after applying the patch, with errors like:

Failed to preprocess target Error: Field not found: 'Veeam.Backup.Common.COptions.RetrieveCertUseTls12Only'.  

 

Patching on other infrastructures (both v11 and v12) went smoothly.

Anyone else experiencing the same behaviour?

We are experiencing the same issues after patching our v11 infrastructure today. Just opened a support case. 

Nico Losschaert
Userlevel 7
Badge +11

Thx for posting this @regnor , already patched the VCC environement and a lot of backup-servers 😄

#Veeam Legend 5* | VMCA 2* | VMCE 3* | VMTSP+ 2* | VMSP 2* | DCIE 2* | Loves Best Practices | Twitter : @NLosschaert
pgallenga
Userlevel 3
Badge

Hello everybody,

I’m having issues with one of the v11 installations after applying the patch, with errors like:

Failed to preprocess target Error: Field not found: 'Veeam.Backup.Common.COptions.RetrieveCertUseTls12Only'.  

 

Patching on other infrastructures (both v11 and v12) went smoothly.

Anyone else experiencing the same behaviour?

We are experiencing the same issues after patching our v11 infrastructure today. Just opened a support case. 

Sorry to hear about that, @dfit.

Hope it gets sorted out quickly.

C
Userlevel 1

I keep getting the same error to stop and disable all jobs. I have made sure there are no running jobs and have rebooted the server. Do I need to disable all jobs even if they aren’t running?

 

Chris.Childerhose
Userlevel 7
Badge +20

I keep getting the same error to stop and disable all jobs. I have made sure there are no running jobs and have rebooted the server. Do I need to disable all jobs even if they aren’t running?

 

Always a safe bet to disable everything.  Makes things easier for updates/upgrades.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
regnor
Userlevel 7
Badge +14

I keep getting the same error to stop and disable all jobs. I have made sure there are no running jobs and have rebooted the server. Do I need to disable all jobs even if they aren’t running?

 

@Cassy.Haley You only need to disable jobs, which are continuously running. Like copy jobs or tape jobs for example. Also make sure no Veeam Backup Console is open.

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard
4

Hi all,

 

Long story short. Will be upgrading from v9 soon; till then I was planning on blocking port 9401.

From my understanding this will only affect being able to restore files, does anyone know if blocking this port will affect backing up our VMs?

Rick Vanover
Userlevel 7
Badge +10

I keep getting the same error to stop and disable all jobs. I have made sure there are no running jobs and have rebooted the server. Do I need to disable all jobs even if they aren’t running?

 

One trick I’ve done for this message is reboot, and before the services start back up - run the hotfix. 

 

If you still can’t get it installed - I’d recommend you open a support ticket.

Twitter @RickVanover | Email: rick.vanover@veeam.com
Chris.Childerhose
Userlevel 7
Badge +20

Hi all,

 

Long story short. Will be upgrading from v9 soon; till then I was planning on blocking port 9401.

From my understanding this will only affect being able to restore files, does anyone know if blocking this port will affect backing up our VMs?

No this port should not affect backups as it is Mount Server related as per here - https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120#mount-server-connections

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
regnor
Userlevel 7
Badge +14

@46er You might only see problems during restores if your repositores aren’t hosted by the Veeam backup server itself.

But, if you’re still on VBR v9 you have much worse unpatched vulnerabilities:

https://www.veeam.com/kb4288?ad=in-text-link

https://www.veeam.com/kb4289?ad=in-text-link

https://www.veeam.com/kb4290?ad=in-text-link

I wouldn’t wait any longer to patch your environment. Especially as there are known attacks using the vulnerabilities above.

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard
N
Userlevel 1

Hi there,

unfortunately for this task I’m neither an educated nor a professional admin.
Nevertheless I have to update a VBR on an Hyper-V VM running now 11.0.1.1261 P20211211.

I downloaded the iso-file (app. 10GB) “VeeamBackup&Replication_11.0.1.1261_20230227.iso”. But I don’t know what to do know. I guess I have to mount the iso at the VM. But I’m afraid to overwrite all current settings…

Is there a step by step manual? Or could anybody please help me and could explain what I have to do exactly?

Thanks a lot.

JMeixner
Userlevel 7
Badge +17

Do a configuration backup of your Veeam database first.  with this you can recreate your VBR servee in case something happens.

 

With the ISO you can do an update. Normally no settings are overwritten.

There are several guides here in the community, please do  search for “update".

Jochen (Joe) Meixner | Veeam Vanguard 2024 | Veeam Legend 2021 - 2023 | Veeam Certified Architect (VMCA) 2022 | Twitter: @JoMeix | BlueSky: @jmeixner.bsky.social
Chris.Childerhose
Userlevel 7
Badge +20

Hi there,

unfortunately for this task I’m neither an educated nor a professional admin.
Nevertheless I have to update a VBR on an Hyper-V VM running now 11.0.1.1261 P20211211.

I downloaded the iso-file (app. 10GB) “VeeamBackup&Replication_11.0.1.1261_20230227.iso”. But I don’t know what to do know. I guess I have to mount the iso at the VM. But I’m afraid to overwrite all current settings…

Is there a step by step manual? Or could anybody please help me and could explain what I have to do exactly?

Thanks a lot.

You also have the option to download only the patch file and run that instead of the entire ISO.  But as Joe said it will work but take the configuration backup first.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Rick Vanover
Userlevel 7
Badge +10

Hi there,

unfortunately for this task I’m neither an educated nor a professional admin.
Nevertheless I have to update a VBR on an Hyper-V VM running now 11.0.1.1261 P20211211.

I downloaded the iso-file (app. 10GB) “VeeamBackup&Replication_11.0.1.1261_20230227.iso”. But I don’t know what to do know. I guess I have to mount the iso at the VM. But I’m afraid to overwrite all current settings…

Is there a step by step manual? Or could anybody please help me and could explain what I have to do exactly?

Thanks a lot.

Yes, please check out the V11 upgrade center:  http://vee.am/v11upgradecenter (but also the V12 Upgrade Center:  http://vee.am/v12upgradecenter )

Twitter @RickVanover | Email: rick.vanover@veeam.com
N
Userlevel 1

Thank you. I successfully could make a configuration backup, and mount the ISO. But there is no UPDATE option for me, only an INSTALL option. I’m a little bit confused right now.

At the moment I don’t have official VEEAM support (it is expired a month ago) but of course an official license for VEEAM Backup & Replication 11. Is the expired support the reason why I can’t start an UPDATE?

Chris.Childerhose
Userlevel 7
Badge +20

Thank you. I successfully could make a configuration backup, and mount the ISO. But there is no UPDATE option for me, only an INSTALL option. I’m a little bit confused right now.

At the moment I don’t have official VEEAM support (it is expired a month ago) but of course an official license for VEEAM Backup & Replication 11. Is the expired support the reason why I can’t start an UPDATE?

Use this link that was posted above which is just the patch for 11a - Veeam Software for Enterprise

This will just do the upgrade rather than using the ISO and is smaller.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
pgallenga
Userlevel 3
Badge

Hello everybody,

this issue was fixed by Support, that today released us a PrivateFix for the V11a Cumulative Patch5 (P20230227):

Hello everybody,

I’m having issues with one of the v11 installations after applying the patch, with errors like:

Failed to preprocess target Error: Field not found: 'Veeam.Backup.Common.COptions.RetrieveCertUseTls12Only'.  

 

Patching on other infrastructures (both v11 and v12) went smoothly.

Anyone else experiencing the same behaviour?

 

Also 👍 double-thumbs-up 👍 to @regnor  that was right: a private hotfix was applied to that infrastructure a few months ago, and unfortunately the CP5 patch didn’t took that into account.

Doesn't sound so good. 😐 Did you have any (private) hotfixes installed? Anything special about TLS?

 

Great job by the Veeam Support team, that managed to get the backups up and running, and thanks everyone for the support here too!

regnor
Userlevel 7
Badge +14

@pgallengaThank you for the feedback. I’m glad that support could solve this one 😊 Probably not every private hotfix is included in the following CU, so in your case some parts were reverted by the patch.

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard
J
Userlevel 1

Hi.

After install new version …

Please help.

Jan

 

Comment


Terms & Conditions