CVE-2024-22022
📋 TL;DR
CVE-2024-22022 allows low-privileged Veeam Recovery Orchestrator users to access the NTLM hash of the service account used by the Veeam Orchestrator Server Service. This could enable attackers to perform pass-the-hash attacks and potentially escalate privileges. Organizations using affected Veeam Recovery Orchestrator versions are impacted.
💻 Affected Systems
- Veeam Recovery Orchestrator
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use the stolen NTLM hash to perform pass-the-hash attacks, gain domain administrator privileges, and compromise the entire Active Directory environment.
Likely Case
Low-privileged users or attackers who gain low-privileged access could escalate privileges within the Veeam environment and potentially access backup data or disrupt recovery operations.
If Mitigated
With proper network segmentation, privileged access management, and monitoring, the impact could be limited to the Veeam environment without domain-wide compromise.
🎯 Exploit Status
Exploitation requires authenticated low-privileged access to the Veeam Recovery Orchestrator interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 7.2
Vendor Advisory: https://veeam.com/kb4541
Restart Required: Yes
Instructions:
1. Download Veeam Recovery Orchestrator 7.2 from the Veeam website. 2. Run the installer on the Orchestrator Server. 3. Follow the upgrade wizard. 4. Restart the server after installation completes.
🔧 Temporary Workarounds
Restrict low-privileged user access
allTemporarily remove or restrict low-privileged user accounts from Veeam Recovery Orchestrator until patching can be completed.
Implement network segmentation
allIsolate Veeam Recovery Orchestrator servers from domain controllers and other critical systems to limit pass-the-hash attack potential.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Veeam Recovery Orchestrator from domain controllers
- Enforce least privilege access and monitor all Veeam Recovery Orchestrator user activities
🔍 How to Verify
Check if Vulnerable:
Check Veeam Recovery Orchestrator version in the web interface under Help > About. If version is below 7.2, the system is vulnerable.Check Version:
Not applicable - check via web interfaceVerify Fix Applied:
After upgrading, verify version shows 7.2 or higher in Help > About. Test that low-privileged users can no longer access service account information.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to service account information by low-privileged users
- Failed authentication attempts using service account credentials
Network Indicators:
- Unusual NTLM authentication traffic from Veeam servers to domain controllers
- Lateral movement attempts from Veeam servers
SIEM Query:
source="veeam_logs" AND (event_type="service_account_access" OR user_privilege="low")