Veeam Backup Enterprise Manager Vulnerabilities
(CVE-2024-29849, CVE-2024-29850, CVE-2024-29851, CVE-2024-29852)
This article documents vulnerabilities discovered in Veeam Backup Enterprise Manager (VBEM), a supplementary application customers may deploy to manage Veeam Backup & Replication using a web console.
Deploying Veeam Backup Enterprise Manager is optional; not all environments will have it installed. As such, if Veeam Backup Enterprise Manager was not deployed in your environment, that environment would not be impacted by these vulnerabilities.
Issue Details
CVE-2024-29849
This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.
Severity: Critical
CVSS v3.1 Score: 9.8AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-29850
This Vulnerability in Veeam Backup Enterprise Manager allows account takeover via NTLM relay.
Severity: High
CVSS v3.1 Score: 8.8AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-29851
This vulnerability in Veeam Backup Enterprise Manager allows a high-privileged user to steal the NTLM hash of the Veeam Backup Enterprise Manager service account if that service account is anything other than the default Local System account.
Severity: High
CVSS v3.1 Score: 7.2AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2024-29852
This vulnerability in Veeam Backup Enterprise Manager allows high-privileged users to read backup session logs.
Severity: Low
CVSS v3.1 Score: 2.7AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Solution
All vulnerabilities documented in this article were fixed in Veeam Backup Enterprise Manager 12.1.2.172, which is packaged with:
More Information
Vulnerability Mitigation
For customers who are unable to upgrade Veeam Backup Enterprise Manager to 12.1.2.172 immediately, consider the following:
- This vulnerability can be mitigated by halting the Veeam Backup Enterprise Manager software.
To do this, stop and disable the following services:- VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager)
- VeeamRESTSvc (Veeam RESTful API Service)
Note: Do not stop the 'Veeam Backup Server RESTful API Service'.
- Veeam Backup Enterprise Manager is compatible with managing Veeam Backup & Replication servers running an older version than Veeam Backup Enterprise Manager. Therefore, if the Veeam Backup Enterprise Manager software is installed on a dedicated server, Veeam Backup Enterprise Manager can be upgraded to version 12.1.2.172 without the need to upgrade Veeam Backup & Replication immediately.
- Veeam Backup Enterprise Manager can be uninstalled if it is not in use.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.