CVE-2024-42023
📋 TL;DR
This CVE describes an improper access control vulnerability in Veeam software that allows low-privileged users to remotely execute code with Administrator privileges. This is a privilege escalation vulnerability that affects Veeam Backup & Replication installations. Attackers can exploit this to gain complete control over affected systems.
💻 Affected Systems
- Veeam Backup & Replication
📦 What is this software?
One by Veeam
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with administrative access, allowing attackers to install malware, steal sensitive backup data, pivot to other systems, and maintain persistent access.
Likely Case
Attackers gain administrative privileges on the Veeam server, enabling them to access and potentially exfiltrate backup data, modify backup configurations, or deploy ransomware.
If Mitigated
With proper network segmentation and least privilege access controls, impact is limited to the Veeam server itself, though administrative access still represents significant risk.
🎯 Exploit Status
Requires low-privileged user access. The vulnerability is in access control mechanisms, making exploitation relatively straightforward once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 12.1.2.173 or later
Vendor Advisory: https://www.veeam.com/kb4649
Restart Required: Yes
Instructions:
1. Download Veeam Backup & Replication 12.1.2.173 or later from the Veeam website. 2. Run the installer with administrative privileges. 3. Follow the upgrade wizard. 4. Restart the Veeam Backup Service after installation completes.
🔧 Temporary Workarounds
Restrict Veeam Service Access
windowsLimit network access to Veeam Backup Service ports to only trusted administrative systems
netsh advfirewall firewall add rule name="Restrict Veeam Service" dir=in action=allow protocol=TCP localport=9392 remoteip=192.168.1.0/24,10.0.0.0/8 enable=yes
Implement Least Privilege Access
allReview and restrict user permissions to only necessary functions within Veeam
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Veeam servers from general user networks
- Enable detailed logging and monitoring for privilege escalation attempts on Veeam servers
🔍 How to Verify
Check if Vulnerable:
Check Veeam Backup & Replication version in the Veeam console under Help > About. If version is 12.1.2.172 or earlier, the system is vulnerable.Check Version:
Get-ItemProperty HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication -Name VersionVerify Fix Applied:
After patching, verify version is 12.1.2.173 or later in Help > About. Test that low-privileged users cannot perform administrative functions.📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation events in Windows Security logs
- Veeam service logs showing administrative actions from non-admin accounts
- Event ID 4672 (Special privileges assigned to new logon) for Veeam service accounts
Network Indicators:
- Unusual connections to Veeam Backup Service port (default 9392/TCP) from non-admin systems
- Traffic patterns indicating privilege escalation attempts
SIEM Query:
source="veeam_logs" AND (event_type="privilege_escalation" OR user_privilege_change="true") OR source="windows_security" AND event_id=4672 AND process_name="VeeamBackupSvc.exe"