CVE-2024-42455
📋 TL;DR
A vulnerability in Veeam Backup & Replication allows low-privileged authenticated users to exploit insecure deserialization via remoting services, enabling arbitrary file deletion with service account privileges. This affects organizations using vulnerable Veeam Backup & Replication installations where users have access to the application. The vulnerability stems from insufficient input validation during deserialization.
💻 Affected Systems
- Veeam Backup & Replication
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through file deletion leading to service disruption, data loss, or privilege escalation by deleting critical system files.
Likely Case
Data destruction or service disruption through targeted deletion of backup files, configuration files, or other critical application data.
If Mitigated
Limited impact if proper access controls restrict low-privileged user access to remoting services and file permissions are properly configured.
🎯 Exploit Status
Requires authenticated access and knowledge of serialization techniques, but exploitation is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.2.0.334
Vendor Advisory: https://www.veeam.com/kb4693
Restart Required: No
Instructions:
1. Download Veeam Backup & Replication 12.2.0.334 from Veeam website. 2. Run the installer on the Veeam server. 3. Follow the upgrade wizard. 4. Verify installation completes successfully.
🔧 Temporary Workarounds
Restrict access to Veeam remoting services
WindowsLimit network access to Veeam remoting services to only trusted administrative users and systems.
Use Windows Firewall to restrict access to Veeam service ports (typically 9392/TCP, 9393/TCP)
Implement least privilege access
allReview and restrict user permissions to only necessary functions within Veeam Backup & Replication.
Review Veeam user roles and permissions in Veeam Backup & Replication console
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Veeam servers from general user networks
- Enable detailed logging and monitoring for file deletion events and Veeam service access
🔍 How to Verify
Check if Vulnerable:
Check Veeam Backup & Replication version in the console (Help > About) or via PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Veeam*'} | Select-Object Name, VersionCheck Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Veeam Backup and Replication*'} | Select-Object VersionVerify Fix Applied:
Verify version is 12.2.0.334 or later in Veeam console or via version check command📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in Windows Event Logs (Event ID 4663)
- Unexpected Veeam service connections from non-administrative users
- Veeam remoting service access from unauthorized IPs
Network Indicators:
- Unusual traffic to Veeam remoting ports (9392/TCP, 9393/TCP) from non-admin systems
- Serialized data patterns in network traffic to Veeam services
SIEM Query:
source="windows" EventCode=4663 ObjectName="*.vbr" OR source="veeam" message="*deserialization*" OR message="*temporary file*"