CVE-2024-42451
📋 TL;DR
This vulnerability in Veeam Backup & Replication allows authenticated low-privileged users to retrieve all stored credentials in plaintext through external protocol manipulation. Attackers can exploit this to gain sensitive authentication data, potentially leading to lateral movement and unauthorized access to managed systems. Organizations using affected Veeam versions are at risk.
💻 Affected Systems
- Veeam Backup & Replication
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all credentials stored in Veeam, leading to domain takeover, data exfiltration, ransomware deployment across backup infrastructure and connected systems.
Likely Case
Credential theft enabling unauthorized access to backup targets, storage systems, and managed infrastructure, potentially disrupting recovery capabilities.
If Mitigated
Limited credential exposure if strict access controls and network segmentation are implemented, though some credentials may still be compromised.
🎯 Exploit Status
Exploitation requires authenticated access but minimal technical skill once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.1.2.172
Vendor Advisory: https://www.veeam.com/kb4693
Restart Required: Yes
Instructions:
1. Download Veeam Backup & Replication 12.1.2.172 from Veeam website. 2. Run the installer on the backup server. 3. Follow upgrade wizard. 4. Restart the backup server when prompted.
🔧 Temporary Workarounds
Restrict Protocol Access
allLimit network access to Veeam backup server ports to only trusted administrative systems.
Configure firewall rules to restrict access to Veeam ports (typically 9392-9395, 6160-6180) to administrative IPs only.
Minimize User Privileges
windowsReview and reduce user permissions to minimum required for job functions.
Audit Veeam user roles and remove unnecessary permissions using Veeam Enterprise Manager or PowerShell: Get-VBRUser | Where-Object {$_.Role -ne 'Administrator'} | Set-VBRUser -Role 'RestoreOperator'
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Veeam backup server from general user networks
- Enable detailed logging and monitoring for credential access attempts and implement credential rotation for all stored credentials
🔍 How to Verify
Check if Vulnerable:
Check Veeam Backup & Replication version in console: Help > About. If version is below 12.1.2.172, system is vulnerable.Check Version:
In Veeam PowerShell: Get-VBRServerVersion | Select VersionVerify Fix Applied:
Verify version shows 12.1.2.172 or higher in Help > About, and test that low-privileged users cannot access credential retrieval functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual credential access patterns in Veeam logs
- Multiple failed authentication attempts followed by successful credential retrieval
- User activity outside normal business hours accessing credential-related functions
Network Indicators:
- Unusual traffic to Veeam ports from non-administrative systems
- External connections to Veeam backup server
SIEM Query:
source="veeam*" AND (event_id=190 OR event_id=191 OR "credential" OR "password") AND user!="SYSTEM" AND user!="Administrator"