Challenge
Veeam is aware of the Zip Slip vulnerability, which affects jobs with the guest file system indexing option enabled.Zip Slip is an arbitrary file overwrite vulnerability in multiple ZIP decompression algorithm implementations that affects thousands of software products across many ecosystems. The vulnerability is exploited using a specially crafted zip archive that holds path traversal filenames. A path traversal filename is a malicious filename that when chained to the target extraction directory, results in the final path existing outside of the target folder . For instance, if a zip archive were to contain a file called "../../file.exe", it would break out of the target folder when extracted. We highly recommend patching this vulnerability as soon as possible, as vulnerable code samples are actively being hand crafted and shared in developer communities for all major platforms.
Cause
Zip library (DotNetZip) CVE-2018-1002205Solution
A hotfix for Zip Slip and another similar vulnerability in guest file system indexing functionality is available for the following versions of Veeam Backup & Replication: 8.0 Update 3, 9.0 Update 2, 9.5 Update 2 and 9.5 Update 3.Please, stop your Veeam B&R and Veeam EM services and extract Ionic.Zip.dll and Veeam.Backup.Common.dll into C:\Program Files\Veeam\Backup and Replication\Backup Catalog and C:\Program Files\Veeam\Backup and Replication\Enterprise Manager with replacing existing files.
*Don't forget to make a backup of existing files prior to extraction.
Note: The only known angle of attack for leveraging these vulnerabilities against Veeam Backup & Replication involves Window and Linux guest file system indexing functionality. As such, you don’t have to install this hotfix unless you have guest file system indexing enabled in any of your Veeam backup jobs.