Threat update
A Veeam Backup Enterprise Manager (VBEM) security vulnerability, CVE-2024-29849, can pose serious risks for organizations. Users are advised to update their VBEM to the latest version immediately.
Technical Detail and Additional Info
What is the threat?
CVE-2024-29849 is an authentication bypass where unauthorized users can gain access with administrative rights without providing the correct login information. Attackers can take advantage of this vulnerability by creating a fake login token and sending it to VBEM's REST API service, which is supposed to verify the correct login information. However, the service currently fails to do its job, and are allowing the unauthorized user to have administrator privileges, creating severe security risks for companies.
Why is it noteworthy?
This vulnerability is noteworthy because it allows unauthorized users to access a company's backup data, which is typically very sensitive and vital. In the wrong hands, this data can be used maliciously.
What is the exposure or risk?
CVE-2024-29849 carries a high risk for leading companies to suffer from data theft and loss. This vulnerability can compromise different companies' backup data, making it hard for a company to recover from other technical problems. One of the most concerning risks is that these unauthorized users can dig deeper and access even more information/data within a company's network after gaining these administrative privileges.
What are the recommendations?
LBT Technology Group recommends the following actions to limit the impact of CVE-2024-29849:
- Update VBEM to the latest version, 12.1.2.172 or higher.
- Set up firewall policies that will block unauthorized access to VBEM networks ports, most importantly port 9398 for the REST API.
- Restrict network access, allowing only trusted IP addresses access to VBEM.
- Enable multi-factor authentication for extra security, as another way of authentication.
- Use a Web Application Firewall to prevent malicious attempts to access VBEM.
- Check access logs frequently and set up alerts for any type of suspicious activity, login attempts, and untrusted IP addresses.
- Isolate the VBEM server from other important networks to prevent attacks and access to other areas.
- Keep all types of software, in addition to VBEM, updated regularly to prevent these types of situations.
References
If you have any questions, please contact LBT's Sales Engineer.