CVE-2024-42453
📋 TL;DR
CVE-2024-42453 is a privilege escalation vulnerability in Veeam Backup & Replication that allows low-privileged users to perform unauthorized actions on connected virtual infrastructure hosts. This includes powering off VMs, deleting files, and modifying configurations, potentially causing DoS and data integrity issues. Organizations using affected Veeam Backup & Replication versions are impacted.
💻 Affected Systems
- Veeam Backup & Replication
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of virtual infrastructure with data destruction, service disruption, and potential ransomware deployment across backup systems.
Likely Case
Unauthorized VM shutdowns causing business disruption, deletion of backup files leading to data loss, and configuration changes affecting backup integrity.
If Mitigated
Limited impact with proper network segmentation and strict access controls preventing low-privileged users from reaching management services.
🎯 Exploit Status
Exploitation requires authenticated low-privileged access and knowledge of vulnerable methods in management services.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.1.2.172
Vendor Advisory: https://www.veeam.com/kb4693
Restart Required: No
Instructions:
1. Download Veeam Backup & Replication 12.1.2.172 from Veeam website. 2. Run the installer on the backup server. 3. Follow upgrade wizard instructions. 4. Verify successful installation in Veeam console.
🔧 Temporary Workarounds
Restrict User Permissions
allTemporarily remove or restrict low-privileged user access to Veeam Backup & Replication console and management services.
Network Segmentation
allIsolate Veeam Backup & Replication management interfaces from general user networks.
🧯 If You Can't Patch
- Implement strict role-based access control (RBAC) limiting users to minimum necessary permissions
- Monitor and audit all configuration changes and VM operations in Veeam logs
🔍 How to Verify
Check if Vulnerable:
Check Veeam Backup & Replication version in console: Help > About. If version is below 12.1.2.172, system is vulnerable.Check Version:
In Veeam console: Help > About displays version informationVerify Fix Applied:
Verify version shows 12.1.2.172 or higher in Help > About. Test low-privileged user cannot perform unauthorized host operations.📡 Detection & Monitoring
Log Indicators:
- Unauthorized configuration changes in Veeam logs
- Unexpected VM power operations from low-privileged accounts
- File deletion events in backup storage logs
Network Indicators:
- Unusual management service requests from non-admin users
- Multiple configuration modification attempts
SIEM Query:
source="veeam_logs" AND (event_type="configuration_change" OR event_type="vm_power_operation") AND user_role!="administrator"