CVE-2024-42022
📋 TL;DR
An incorrect permission assignment vulnerability in Veeam products allows attackers with local access to modify product configuration files. This could lead to service disruption or unauthorized configuration changes. Affects Veeam Backup & Replication installations with specific configurations.
💻 Affected Systems
- Veeam Backup & Replication
📦 What is this software?
One by Veeam
⚠️ Risk & Real-World Impact
Worst Case
Attacker modifies configuration to disable security controls, redirect backups to malicious storage, or cause complete service failure.
Likely Case
Malicious insider or compromised account modifies configurations to disrupt backup operations or exfiltrate backup data.
If Mitigated
Limited impact due to proper access controls and monitoring preventing unauthorized configuration changes.
🎯 Exploit Status
Requires local access and appropriate permissions; trivial to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply fix from Veeam KB4649
Vendor Advisory: https://www.veeam.com/kb4649
Restart Required: Yes
Instructions:
1. Download the fix from Veeam KB4649. 2. Stop Veeam services. 3. Apply the fix. 4. Restart Veeam services. 5. Verify permissions are corrected.
🔧 Temporary Workarounds
Restrict File Permissions
windowsManually adjust permissions on Veeam configuration files to restrict write access
icacls "C:\ProgramData\Veeam\Backup\" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" /deny "Users:(OI)(CI)(W)"
🧯 If You Can't Patch
- Implement strict access controls limiting who can access Veeam server
- Enable detailed auditing of configuration file modifications and monitor for unauthorized changes
🔍 How to Verify
Check if Vulnerable:
Check if configuration files in Veeam installation directories have overly permissive write permissions for non-administrative usersCheck Version:
Check Veeam console Help > About or review installed patches for KB4649Verify Fix Applied:
Verify configuration files now have proper restrictive permissions and only SYSTEM/Administrators have write access📡 Detection & Monitoring
Log Indicators:
- Windows Security event logs showing unauthorized file modifications in Veeam directories
- Veeam service logs showing configuration changes outside maintenance windows
Network Indicators:
- Unusual backup destination changes in network traffic
- Unexpected connections to backup repositories
SIEM Query:
EventID=4663 AND ObjectName LIKE '%Veeam%' AND Accesses LIKE '%WriteData%' AND NOT SubjectUserName IN ('SYSTEM', 'Administrator')