https://login.veeam.com/en/oauth?client_id=nXojRrypJ8&redirect_uri=https%3A%2F%2Fwww.veeam.com%2Fservices%2Fauthentication%2Fredirect_url&response_type=code&scope=profile&state=eyJmaW5hbFJlZGlyZWN0TG9jYXRpb24iOiJodHRwczovL3d3dy52ZWVhbS5jb20va2IyMTgwIiwiaGFzaCI6ImQzZGEwNWY3LTBkOWEtNGNjNi1hODcxLTNjOTE4MDM4OTA4YyJ9
Veeam Backup & Replication Local Privilege Escalation Vulnerability
| KB ID: | 2180 |
| Product: | Veeam Backup & Replication |
| Version: | 6.x, 7.x, 8.0 |
| Published: | 2016-10-17 |
| Last Modified: | 2020-08-13 |
Challenge
The vulnerability allows any local Windows user with low privileges, such as the ones provided to an anonymous IIS's virtualhost user, to access Veeam Backup logfiles and extract the password, used to run Veeam components, which is stored as a doublebase64 encoded string.
Cause
The affected component is VeeamVixProxy, created by default on installation and configured to run with a privileged Local Administrator or a Domain Administrator account.
Using such accounts is correct and required for the components to run properly, as stated by the userguide and wizard prompts for adding a VMware or HyperV Backup Proxies:
"Type in an account with local administrator privileges
on the server you are adding. Use DOMAIN\USER format for domain
accounts, or HOST\USER for local accounts."
We conservatively refer to this issue as a Local Administrator Privilege Escalation but the use of Domain Administrator accounts for Veeam is not discouraged, if not advised, and this is a common pattern in production.
Using such accounts is correct and required for the components to run properly, as stated by the userguide and wizard prompts for adding a VMware or HyperV Backup Proxies:
"Type in an account with local administrator privileges
on the server you are adding. Use DOMAIN\USER format for domain
accounts, or HOST\USER for local accounts."
We conservatively refer to this issue as a Local Administrator Privilege Escalation but the use of Domain Administrator accounts for Veeam is not discouraged, if not advised, and this is a common pattern in production.
Solution
Update Veeam Backup & Replication to version 8.0 Update 3 or 9.x.
Workaround for operating systems on your virtual machines:
If Veeam B&R is installed on a Windows 2003 environment, change the access permissions on %alluserprofile%\Application Data\Veeam\Backup and subdirectories, so that only members of the "Administrators" group can read it.
If Veeam B&R is installed on Windows 2008 and newer, change the access permissions on %programdata%\Veeam\Backup\ and subdirectories, so that only members of the "Administrators" group can read it.
Workaround for operating systems on your virtual machines:
If Veeam B&R is installed on a Windows 2003 environment, change the access permissions on %alluserprofile%\Application Data\Veeam\Backup and subdirectories, so that only members of the "Administrators" group can read it.
If Veeam B&R is installed on Windows 2008 and newer, change the access permissions on %programdata%\Veeam\Backup\ and subdirectories, so that only members of the "Administrators" group can read it.
More information
kbSecBulletin, Local Privilege Escalation, CVE20155742
| KB ID: | 2180 |
| Product: | Veeam Backup & Replication |
| Version: | 6.x, 7.x, 8.0 |
| Published: | 2016-10-17 |
| Last Modified: | 2020-08-13 |
Couldn't find what you were looking for?
Below you can submit an idea for a new knowledge base article.
Report a typo on this page:
Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!
Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!
Spelling error in text
Knowledge base content request
