• EN

Vulnerability in Veeam Backup & Replication - March 2023

regnor
Userlevel 7
Badge +14

Veeam has just informed it’s customers about an existing vulnerability in Veeam Backup & Replication. Unauthorized users may be able to request encrypted credentials from the VBR service, and therefore get access to the backup infrastructure. The KB articles haven’t received updates so far, but the vulnerability did get a CVSSv3 score of 7.5.

EDIT: The KB article has just been published: KB4424

It’s recommended to patch VBR as soon as possible!

Solution

Patches have been released for VBR V11 and V12. Please keep in mind that older releases are also affected, but no longer get fixes. So you need to upgrade your installation to a supported release.

Workaround

As a temporary workaround you can block access to TCP port 9401 on your Veeam Backup & Replication server. This will affect the connection of mount servers to the VBR server, so only use this if you don’t have a distributed Veeam environment. And still apply the patch as soon as possible.

Note about recent deployments

If you have recently deployed V11 or V12 then check the ISO image you’ve used for the installation. 20230227 (V11) and 20230223 (V12) already contain the patches and so aren’t vulnerable anymore.

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard

60 comments

Mildur
Userlevel 7
Badge +12

I checked KB4245, and the build number does not match the email.

It should be 11.0.1.1261 P20220302, not P20230227. It seems the same as last year's release.

 

Thank you.
I forwarded the feedback. We will update it.

Product Management Analyst @ Veeam Software
regnor
Userlevel 7
Badge +14

@46er You might only see problems during restores if your repositores aren’t hosted by the Veeam backup server itself.

But, if you’re still on VBR v9 you have much worse unpatched vulnerabilities:

https://www.veeam.com/kb4288?ad=in-text-link

https://www.veeam.com/kb4289?ad=in-text-link

https://www.veeam.com/kb4290?ad=in-text-link

I wouldn’t wait any longer to patch your environment. Especially as there are known attacks using the vulnerabilities above.

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard
CarySun
Userlevel 7
Badge +7

I checked KB4245, and the build number does not match the email.

It should be 11.0.1.1261 P20220302, not P20230227. It seems the same as last year's release.

 

Veeam Vanguard | Veeam Legend | VMCE 2024 | Microsoft MVP | Cisco Insider Champion | CISCO CCIE #4531 | Web Site - carysun.com | Blog Site - gooddealmart.com | Blog Site - checkyourlogs.net | X: @SifuSun | LinkedIn: https://www.linkedin.com/in/sifusun/ | Amazon Author: https://Amazon.com/author/carysun
regnor
Userlevel 7
Badge +14

@CarySun The KB article hadn't been updated until now and did show the old build number. I'll update my post.

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard
CarySun
Userlevel 7
Badge +7

Nice! Veeam corrected the KB4245 contents.

 

Veeam Vanguard | Veeam Legend | VMCE 2024 | Microsoft MVP | Cisco Insider Champion | CISCO CCIE #4531 | Web Site - carysun.com | Blog Site - gooddealmart.com | Blog Site - checkyourlogs.net | X: @SifuSun | LinkedIn: https://www.linkedin.com/in/sifusun/ | Amazon Author: https://Amazon.com/author/carysun
V
Userlevel 2

Hi Vassilis, for v11 build number will be 11.0.1.1261 P20230227

 

https://www.veeam.com/kb4245

 

If you are upgrading to v12, the version will be 12.0.0.1420 P20230223

 

https://www.veeam.com/kb4420

 

Thanks marco,

 

 

So i’m good ??? i have nothing to be fear off, let the hackers try 🤣

pgallenga
Userlevel 3
Badge

ΤΥη

Hello everybody,

I’m having issues with one of the v11 installations after applying the patch, with errors like:

Failed to preprocess target Error: Field not found: 'Veeam.Backup.Common.COptions.RetrieveCertUseTls12Only'.  

 

Patching on other infrastructures (both v11 and v12) went smoothly.

Anyone else experiencing the same behaviour?

The error says about tls1.2 , mayb your specific server does not allow tls 1.2, can you check with crypto and see the protocols enabled around your B&R infra.

 

I would strongly suggest to open a support ticket though.

 

Thank you @Vassilis, already opened SR #05922394 with high Severity.

Of course needless to say that this infrastructure worked correctly before the patch was applied, and that no other change was introduced in the meanwhile (I also refrained from applying a couple OS updates pending, that are already scheduled for next week).

Seems like somethings’ awry on the DB (“Field not found”…?!).

Chris.Childerhose
Userlevel 7
Badge +20

Nice to see they patched this one.  Have deployed in my homelab without issues.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
CarySun
Userlevel 7
Badge +7

These are the correct KBs.

V11a: https://www.veeam.com/kb4424

V12: https://www.veeam.com/kb4420

 

Veeam Vanguard | Veeam Legend | VMCE 2024 | Microsoft MVP | Cisco Insider Champion | CISCO CCIE #4531 | Web Site - carysun.com | Blog Site - gooddealmart.com | Blog Site - checkyourlogs.net | X: @SifuSun | LinkedIn: https://www.linkedin.com/in/sifusun/ | Amazon Author: https://Amazon.com/author/carysun
marco_s
Userlevel 7
Badge +7

Hi Vassilis, for v11 build number will be 11.0.1.1261 P20230227

 

https://www.veeam.com/kb4245

 

If you are upgrading to v12, the version will be 12.0.0.1420 P20230223

 

https://www.veeam.com/kb4420

Marco Sorrentino - Italy | System Engineer | VMCE & Veeam Lover
regnor
Userlevel 7
Badge +14

Looks good, so at least you don't have to fear this certain vulnerability anymore 😉

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard
pgallenga
Userlevel 3
Badge

Hello everybody,

I’m having issues with one of the v11 installations after applying the patch, with errors like:

Failed to preprocess target Error: Field not found: 'Veeam.Backup.Common.COptions.RetrieveCertUseTls12Only'.  

 

Patching on other infrastructures (both v11 and v12) went smoothly.

Anyone else experiencing the same behaviour?

V
Userlevel 2

ΤΥη

Hello everybody,

I’m having issues with one of the v11 installations after applying the patch, with errors like:

Failed to preprocess target Error: Field not found: 'Veeam.Backup.Common.COptions.RetrieveCertUseTls12Only'.  

 

Patching on other infrastructures (both v11 and v12) went smoothly.

Anyone else experiencing the same behaviour?

The error says about tls1.2 , mayb your specific server does not allow tls 1.2, can you check with crypto and see the protocols enabled around your B&R infra.

 

I would strongly suggest to open a support ticket though.

BertrandFR
Userlevel 7
Badge +8

Silly question here:

After apply patch on v11, if I update VBR to V12…

Need I apply patch again?

 

It depends when you downloaded the ISO for V12, it if was before yesterday you will need to download the patch. https://www.veeam.com/kb4420

 

Stabz
Userlevel 7
Badge +7

I just finished a project and I already have to patch it! Glad to see the responsiveness of Veeam to fix this vulnerability

Philippe DUPUIS |Veeam Certified Engineer | https://original-network.com/
C
Userlevel 1

Please advise on roll back options if issues occur during patch?

Chris.Childerhose
Userlevel 7
Badge +20

Please advise on roll back options if issues occur during patch?

If your VBR server is a VM then take a snapshot prior to the patching so you can roll back.  For a physical server you may want to install the Agent and do a backup prior.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
D

Hello everybody,

I’m having issues with one of the v11 installations after applying the patch, with errors like:

Failed to preprocess target Error: Field not found: 'Veeam.Backup.Common.COptions.RetrieveCertUseTls12Only'.  

 

Patching on other infrastructures (both v11 and v12) went smoothly.

Anyone else experiencing the same behaviour?

We are experiencing the same issues after patching our v11 infrastructure today. Just opened a support case. 

C
Userlevel 1

I keep getting the same error to stop and disable all jobs. I have made sure there are no running jobs and have rebooted the server. Do I need to disable all jobs even if they aren’t running?

 

Chris.Childerhose
Userlevel 7
Badge +20

I keep getting the same error to stop and disable all jobs. I have made sure there are no running jobs and have rebooted the server. Do I need to disable all jobs even if they aren’t running?

 

Always a safe bet to disable everything.  Makes things easier for updates/upgrades.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Rick Vanover
Userlevel 7
Badge +10

I keep getting the same error to stop and disable all jobs. I have made sure there are no running jobs and have rebooted the server. Do I need to disable all jobs even if they aren’t running?

 

One trick I’ve done for this message is reboot, and before the services start back up - run the hotfix. 

 

If you still can’t get it installed - I’d recommend you open a support ticket.

Twitter @RickVanover | Email: rick.vanover@veeam.com
N
Userlevel 1

Hi there,

unfortunately for this task I’m neither an educated nor a professional admin.
Nevertheless I have to update a VBR on an Hyper-V VM running now 11.0.1.1261 P20211211.

I downloaded the iso-file (app. 10GB) “VeeamBackup&Replication_11.0.1.1261_20230227.iso”. But I don’t know what to do know. I guess I have to mount the iso at the VM. But I’m afraid to overwrite all current settings…

Is there a step by step manual? Or could anybody please help me and could explain what I have to do exactly?

Thanks a lot.

JMeixner
Userlevel 7
Badge +17

Do a configuration backup of your Veeam database first.  with this you can recreate your VBR servee in case something happens.

 

With the ISO you can do an update. Normally no settings are overwritten.

There are several guides here in the community, please do  search for “update".

Jochen (Joe) Meixner | Veeam Vanguard 2024 | Veeam Legend 2021 - 2023 | Veeam Certified Architect (VMCA) 2022 | Twitter: @JoMeix | BlueSky: @jmeixner.bsky.social
pgallenga
Userlevel 3
Badge

Hello everybody,

this issue was fixed by Support, that today released us a PrivateFix for the V11a Cumulative Patch5 (P20230227):

Hello everybody,

I’m having issues with one of the v11 installations after applying the patch, with errors like:

Failed to preprocess target Error: Field not found: 'Veeam.Backup.Common.COptions.RetrieveCertUseTls12Only'.  

 

Patching on other infrastructures (both v11 and v12) went smoothly.

Anyone else experiencing the same behaviour?

 

Also 👍 double-thumbs-up 👍 to @regnor  that was right: a private hotfix was applied to that infrastructure a few months ago, and unfortunately the CP5 patch didn’t took that into account.

Doesn't sound so good. 😐 Did you have any (private) hotfixes installed? Anything special about TLS?

 

Great job by the Veeam Support team, that managed to get the backups up and running, and thanks everyone for the support here too!

regnor
Userlevel 7
Badge +14

@pgallengaThank you for the feedback. I’m glad that support could solve this one 😊 Probably not every private hotfix is included in the following CU, so in your case some parts were reverted by the patch.

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard

Comment


Terms & Conditions