Critical V11 and V12 vunerablility?

[DanielJ]

But I'm right now looking at how the patch updates the transport service on component servers, for the installations I have patched so far. Will this require us to enable ssh on hardened repositories, when I get to those? Then, how can it be true that "the patch only updates the VBR server"?

[Gostev]

Are you talking about the V12 patch? May be I'm wrong then, I assumed it patches the backup server only from what I heard about the vulnerability.

If you're on V12, you should not need to enable SSH on hardened repositories (a new V12 feature).

[Regnor]

It seems like it patches all (Windows) mount servers. The hardened repository didn't require any updates after this patch.

Component [Mount Server] on the host [XYZ] has been updated

[Gostev]

Yes, the vulnerability is in the Mount service component, so this makes sense.

[renatorichina]

Maybee a stupid question, but i like to understand, how critical this vunerability is and how quick we should patch dozen of customer servers:

Do i see it right, that if the Veeam Server is NOT reachable from the internet (what should not be the case for sure), then this vulnerability can not be exploited from outside the customers LAN, right? For sure it could be exposed by an attack from inside the LAN, but then "we" would have already another problem.

Or do i miss something?

[Gostev]

Your understanding is correct and you're not missing anything.

The vulnerability is useful for attackers to move laterally once they have already penetrated the backup infrastructure network perimeter.

Here's an article with the same conclusion > https://thestack.technology/veeam-vulne ... y-warning/

[r2d2]

Please let me know how this issue could be reproduced to check if the update fixed it.

[Mildur]

Hello Arth

Providing this information would provide potential attackers a step by step guide and thus accelerate active exploitation.

If you have patched your backup server, or alternatively blocked communication to the port (TCP 9401 by default), then the security vulnerability is remediated.

Best,
Fabian

[Tom_LeFx]

What is the recommended way to address this for Veeam B&R community edition? I assume it's equally affected?
The patches are only for 11a Standard - and the CE is listed as v11.
Can I still install the update? Do I need to do a full reinstall?

[kevin.boddy]

Hi,

Just received the email notification this evening. Is there a better way to get these types of notifications faster?

[Gostev]

Subscribe to immediate notices about Security Advisories, as suggested on the previous page.

Email marketing explained to me they cannot send 500K emails in one day without Veeam getting blocked for spam all over the world, so they can only do it across a few days.

[Gostev]

What is the recommended way to address this for Veeam B&R community edition? I assume it's equally affected?
The patches are only for 11a Standard - and the CE is listed as v11.
Can I still install the update? Do I need to do a full reinstall?

Since most likely you have a all-in-one install, you could just block the TCP port and be done with this.

But why not upgrade to V12?

[mkretzer]

@Gostev I understand your mail argument. So maybe you should have a forum to announce such things... Like a R&D Forum? With a big banner "ALERT! Patch your systems".
As i read about this on reddit i was REALLY confused to find nothing about this here! This is the first location i would expect such a information to pop up.

[Regnor]

@Anton: Do only customers with active contracts get such notifications? I haven't received this one nor another critical issue some time ago, but do get all other general notifications(releases, events,...).

Just as an update to my post. I did receive the email (twice) yesterday, so they're also get sent to Veeam accounts which don't have a license/contract.

[kevin.boddy]

I also received two notifications as did all my colleagues yesterday. Maybe if only one notification is sent, it wouldn't have the potential to be flagged as spam.

I will log a case now to check whether I am subscribed to the Veeam Support KB. I am pretty sure I have done this all before. There does not seem to be any confirmation email or any way to check that I can see.

I still don't see why it gets posted on Reddit first.

[Tom_LeFx]

Since most likely you have a all-in-one install, you could just block the TCP port and be done with this.

But why not upgrade to V12?

@Gostev
Because I wasn't aware it's there yet

But for more specifics on the installation - not sure, if our setup qualifies as all-in-one:
We have a Veeam Backup-server running as a VM on a Hyper-V host, which backups to 2 Linux-Repos - so it is - to my understanding - not all in one, because the Repos are external machines and the Hyper-V host is the proxy, because it has the best performance for it.

So Upddate to Veam 12 Community and then I'm good?

[Gostev]

Strange, you should have received an in-product notification about V12 last week, as the update server was initialized with the V12 notification for all CE installs. But anyway - yes, that's totally what I would do. Your install is not all-in-one.

[stfconsulting]

We ran the patch on 3 VBR servers in the last few days and it worked just fine.

[guitarfish]

I installed the patch on 4 VBR servers 3 days ago. Backup, Backup Copy, and Replication jobs all working fine.

[IanBolton]

Can I just clarify something....

Has the 'patch' for V11a been pulled, with the 'fix' now being to upgrade to v12?

As per https://www.veeam.com/kb4420?ad=in-text-link

This article has two download links:

Patch — Use this if you are running at least Veeam Backup & Replication 12 GA (build 12.0.0.1420). After updating, the build number will be 12.0.0.1420 P20230223.
ISO — Use this if you are running any Veeam Backup & Replication version between 10a (10.0.1.4854) and 11a (11.0.1.1261 P20230227), to upgrade to version 12 P20230223. Remember to review the Upgrade Checklist as part of your upgrade process.

So if I'm running 11a I have to go to 12?!

[Mildur]

No, there is also a patch for V11a:
https://www.veeam.com/kb4245

[IanBolton]

Thanks, my bad.

[romulanvox]

I had the initial impression that this vulnerability only affects Windows Mount Servers connecting to the VBR's TCP port 9401 during Windows FLR.

What I discovered during a Linux FLR test was that the VBR's TCP port 9401 is being connected by an external Windows Mount Server during the initial phase where the Linux Mount Server mounts the backups and displays backup's contents the VBR's File Explorer.

Once the VBR's File Explorer reads the backup file contents and displays the folder structures, the VBR's TCP port 9401 no longer has any connections.

Hence, for those who just can't patch your VBRs immediately and may need to do FLRs, you'll need to unblock the VBR's TCP port 9401 during the initial part of the FLR process.

[M4rco]

My feedback on the v11a patch update.

We have a Veeam Enterprise Manager instance where we have the VBR console component installed as we run Powershell scripts which connect to our individual VBR servers for collecting monitoring data. It took us some headscratching to finally conclude we need to install the VBR patch on our Veeam Enterprise Manager server in order to get the VBR console component upgraded. (We could not find any documentation stating you may need to install the VBR patch on another type of Veeam server.)

After that we ran in some more headscratching as it turns out the connect-vbrserver cmdlet has its Powershell session corrupted when you try to connect to a non-updated VBR server. When the Powershell session is corrupted you also can not connect to an upgraded VBR server anymore.

[IanBolton]

If you had run the console on that EM server, attempting to connect to the patched VBR server, it would have prompted you to upgrade?

[rgmueller]

Is there a way to verify the issue has been fixed once the patch has been installed?

[Mildur]

@M4rco
Console and PowerShell Modules can only manage backup server with the same version.
The console is normally updated when you first connect to the updated VBR server.
Maybe we can some note in our user guide.

@rgmueller
Unfortunately we cannot provide a step to step guide on how to test the update.
Please see my previous answer in this topic:
post479666.html#p479666

Best,
Fabian

[rgmueller]

@Mildur,

That is what I thought. I was anticipating questions from my change management team about knowing how to tell if resolved or not. Thank you.

[Mildur]

If patch installation was successful, you can tell them the issue is fixed for that environment.
You can check the build number in the veeam console:

- v12 (build 12.0.0.1420 P20230223)
- v11a (build 11.0.1.1261 P20230227)

Best,
Fabian

[M4rco]

@M4rco
Console and PowerShell Modules can only manage backup server with the same version.
The console is normally updated when you first connect to the updated VBR server.
Maybe we can some note in our user guide.

I was not aware console would be automatically updated when connecting to an updated VBR server. Are the Powershell modules updated at the same time?