Vulnerability in Veeam Backup & Replication - March 2023


Userlevel 7
Badge +14

Veeam has just informed it’s customers about an existing vulnerability in Veeam Backup & Replication. Unauthorized users may be able to request encrypted credentials from the VBR service, and therefore get access to the backup infrastructure. The KB articles haven’t received updates so far, but the vulnerability did get a CVSSv3 score of 7.5.

EDIT: The KB article has just been published: KB4424

It’s recommended to patch VBR as soon as possible!

Solution

Patches have been released for VBR V11 and V12. Please keep in mind that older releases are also affected, but no longer get fixes. So you need to upgrade your installation to a supported release.

Workaround

As a temporary workaround you can block access to TCP port 9401 on your Veeam Backup & Replication server. This will affect the connection of mount servers to the VBR server, so only use this if you don’t have a distributed Veeam environment. And still apply the patch as soon as possible.

Note about recent deployments

If you have recently deployed V11 or V12 then check the ISO image you’ve used for the installation. 20230227 (V11) and 20230223 (V12) already contain the patches and so aren’t vulnerable anymore.


60 comments

Userlevel 1

Hi.

After install new version …

Please help.

Jan

 

Problem fixed.  Run as administrator for the first time. 😁

Userlevel 7
Badge +10

Hi.

After install new version …

Please help.

Jan

 

Problem fixed.  Run as administrator for the first time. 😁

Cool, thanks for sharing.

Userlevel 7
Badge +21

Afternoon, I had a reminder from Veeam today that I want to share, before installing this patch, if you have any private fixes / hotfixes, be sure to check with Veeam support that you’re okay to patch before doing so.

Userlevel 7
Badge +8

Afternoon, I had a reminder from Veeam today that I want to share, before installing this patch, if you have any private fixes / hotfixes, be sure to check with Veeam support that you’re okay to patch before doing so.

thanks for the heads up!

Dear Community
We have here a physical standalone Veeam Backup Server with Veeam B+R 11 where i installed that Patch yesterday and that worked well i think.

We also have a virtual Veeam Server with Veeam B+R 11 where we save client backups from our Windows Computer with Veeam Agent for Windows (Free Edition) On that System i did not install the Patch


In the productive Veeam Backup Server i see the other server in the “Backup Infrastructure” section as Member.
I do not exactly know why these two Veeam servers are connected, the important one i patched is for Backup of productive virtual servers, the not so important one is for the client backups.

The patch did some component updates on all connected systems (remote repos, backup proxies) and somehow also on that connected Veeam Backup Server for the clients.

 

Now, my Agent for Windows (Free Edition) can not backup our clients anymore, when i edit the existing backup job on a client the client can not get the informations of the backup repository. Message is “failed to retrieve disk space”

 

 

How can i check if that component update is responsible for that problem ?

Is there a way to downgrade the components of that Veeam Server that is responsible for the client backups ?

 

Thank you very much for your help

Userlevel 7
Badge +17

Hi,
is it a server managed or a standalone agent?

Did you upgrade the agent, too?

Hi JMeixner

The Agent for Windows (for Client backups) is communicating to a virtual server with Veeam B+R 11.
The client is not managed, its the free edition. I did not update the client Software or that Veeam server installation. I just patched the server installation that is responsible for the backup of our virtual servers

I do not know why the two Veeam servers are connected, my colleague installed the whole Veeam infrastructure.

 

Userlevel 7
Badge +21

Hi JMeixner

The Agent for Windows (for Client backups) is communicating to a virtual server with Veeam B+R 11.
The client is not managed, its the free edition. I did not update the client Software or that Veeam server installation. I just patched the server installation that is responsible for the backup of our virtual servers

I do not know why the two Veeam servers are connected, my colleague installed the whole Veeam infrastructure.

 

You probably need to update the agent now to get things working again.  Veeam will automatically patch all connected servers in your infrastructure unless you uncheck them.

On my Laptop i have Agent 5.0.3.4708 and this version can not read the size of the backup repos on the Veeam Server with the updates components (PATCH IS NOT INSTALLED HERE).
On an other Laptop i installed the newest Veeam Agent for Windows 6.0.0.960 and when i want to create a job with that Agent the Agent says:

 

 

Userlevel 7
Badge +21

On my Laptop i have Agent 5.0.3.4708 and this version can not read the size of the backup repos on the Veeam Server with the updates components (PATCH IS NOT INSTALLED HERE).
On an other Laptop i installed the newest Veeam Agent for Windows 6.0.0.960 and when i want to create a job with that Agent the Agent says:

 

 

Yes v11 of VBR is not compatible with the V6 agent so you will need to downgrade it to the latest v5 one.

Comment