1-800-691-1991 | 9am - 8pm ET
EN

Veeam Backup for AWS/Microsoft Azure/Google Cloud Platform Vulnerability

KB ID: 4143
Product: Veeam Backup for AWS, Veeam Backup for Microsoft Azure, Veeam Backup for Google Cloud Platform
Published: 2021-04-16
Last Modified: 2021-05-10

Challenge

Veeam has discovered a vulnerability in the File Level Restore (FLR) function of the following products:

Veeam Backup for AWS
Veeam Backup for Microsoft Azure
Veeam Backup for Google Cloud Platform

As detailed in the user guide pages linked above, when an FLR is initiated a worker instance is created to which data from the backup is mounted and then presented to the user via the Backup Browser. While an authorized user is performing a File Level Restore (FLR) it is possible for an unauthorized user to gain access to the underlying worker instance and gain access to sensitive data contained therein.

Note: The File Level Restore (FLR) session must be initiated by an authorized user and restore points which are not part of the running file level restore session cannot be accessed.

Severity: Critical
CVSS v3 score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Cause

The File Level Restore incorrectly checks internal API permissions allowing unauthorized access to the running FLR session's data.

Solution

The vulnerability documented in this article is corrected in the following versions of the "File level recovery for Veeam backup" package. (The build numbers shown below are for the "File level recovery for Veeam Backup" component specifically.)

  • 2.0.0.390 for Veeam Backup for AWS 3.0
  • 2.0.0.340 for Veeam Backup for Microsoft Azure 2.0
  • 2.0.0.433 for Veeam Backup for Google Cloud Platform 1.0
Details on the installing updates can be found in the corresponding user guides: 

More information

Check Update History

If when checking for updates none are shown, check the update [History] section to see if the "File level recovery for Veeam Backup" package has already been updated.

The version of the FLR component may also be manually checked by downloading logs and checking the "Release Version:" line found in Veeam\flr\System.log

Updates are only provided for products which have not reached End of Fix, please review https://www.veeam.com/kb1530 for more information on Veeam's lifecycle policy. Users running products which have reached End of Fix are strongly encouraged to update.
KB ID: 4143
Product: Veeam Backup for AWS, Veeam Backup for Microsoft Azure, Veeam Backup for Google Cloud Platform
Published: 2021-04-16
Last Modified: 2021-05-10

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.
Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text

Knowledge base content request
By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Policy.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

ty icon

Thank you!

We have received your request and our team will reach out to you shortly.

OK

error icon

Oops! Something went wrong.

Please go back try again later.