Vulnerability (CVE-2022-26503) in Veeam Agent for Microsoft Windows allows local privilege escalation. An attacker who successfully exploited this vulnerability could run arbitrary code with LOCAL SYSTEM privileges.
Vulnerability (CVE-2022-26503) in Veeam Agent for Microsoft Windows
+11[Microsoft MVP | Veeam Legend 6* | VMware vExpert 5* | Cisco Champion 3* | Object First Ace]
+21Thanks for sharing
Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
+14There are also some big vulnerabilities in VBR which should be parched immediately (CVSS 9.8): https://www.veeam.com/kb4288
Max M. | Systems Engineer @Veeam | VMCE/VMCA | VeeaMVP 2023 | former Legend & Vanguard
+8thx for sharing, for a what a news on monday morning
Severity: Critical
CVSS v3 score: 9.8
+12BertrandFR wrote:
thx for sharing, for a what a news on monday morning
Severity: Critical
CVSS v3 score: 9.8
That was Saturday evening news for me. I have stopped the distribution service on all of our critical environments immediately :)
Product Management Analyst @ Veeam Software
+8Mildur wrote:
BertrandFR wrote:
thx for sharing, for a what a news on monday morning
Severity: Critical
CVSS v3 score: 9.8
That was Saturday evening news for me. I have stopped the distribution service on all of our critical environments immediately :)
What a nice saturday night for you! I think the emergency will depend if your infra is exposed 
but patch quickly anyway
+12BertrandFR wrote:
Mildur wrote:
BertrandFR wrote:
thx for sharing, for a what a news on monday morning
Severity: Critical
CVSS v3 score: 9.8
That was Saturday evening news for me. I have stopped the distribution service on all of our critical environments immediately :)
What a nice saturday night for you! I think the emergency will depend if your infra is exposed but patch quickly anyway
Patching will be planned for this week.
The Distribution Service on Port 9380 is listening on each VBR server by default. Not all environments have closed this port on their firewall or have a dedicated subnet where the vbr server is installed. I thinking of small customers with only a few machines to backup. So better disable the service until there is a maintenance window to patch the product. :)
If this vulnerability is somehow used to gain access to the vbr server, the entire credential database can be exported. All domain and hypervisor Accounts would be available to the hacker.
Product Management Analyst @ Veeam Software
+11- Temporary mitigation of the vulnerabilities: Stop and disable the Veeam Distribution Service. The Veeam Distribution Service is installed on the Veeam Backup & Replication server and servers specified as distribution servers in Protection Groups.
confirm this fix temp the vul?
Veeam: VMCA | VMCE | VMXP | Veeam Legend - Microsoft: MCITP | MCP | MCSA | 2008 R2 | 2012R2 | 2016 | MCSE Core Infrastructure | MCSE Cloud Platform - Azure: AZ900 | AZ104| AZ500 - AWS Cloud Practitioner - VMWare: VCP-DCV Vsphere 7.x - Cisco: CCNA (Expired)
1 person likes this
+12Link State wrote:
- Temporary mitigation of the vulnerabilities: Stop and disable the Veeam Distribution Service. The Veeam Distribution Service is installed on the Veeam Backup & Replication server and servers specified as distribution servers in Protection Groups.
confirm this fix temp the vul?
Yes, the issue lies in the Distribution Service.
If you disable the Service, the Port 9380 is shutdown and cannot be used from the network to overtake the vbr or distribution server.
Product Management Analyst @ Veeam Software
+11Thx
Send magic powershell command for stop & disable bugged service :D
Veeam: VMCA | VMCE | VMXP | Veeam Legend - Microsoft: MCITP | MCP | MCSA | 2008 R2 | 2012R2 | 2016 | MCSE Core Infrastructure | MCSE Cloud Platform - Azure: AZ900 | AZ104| AZ500 - AWS Cloud Practitioner - VMWare: VCP-DCV Vsphere 7.x - Cisco: CCNA (Expired)
Comment
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.