Pasquale `sid` Fiorillo, Francesco `ascii` Ongaro from ISGroup, an Italian Security firm, and Antonio `s4tan` Parata from ush team, have just released a critical security advisory for any version of Veeam Backup & Replication prior to 8 Update 3 (released today, October 8th, 2015). The issue potentially involves 157,000 customers and 9.1 million Virtual Machines worldwide and could lead to full Domain Administrator compromise of the affected infrastructures.
This vulnerability is caused by a component, VeeamVixProxy, that logs in an obfuscated way the administrator username and password used by Veeam to run. An attacker could easily “decode” the password to cleartext. From subsequent analysis it turns out that Veeam’s admin user is often a Domain Administrator user and this enables a scenario in which an unprivileged user, or even an hacked IIS website, inside a single Virtual Machine, can escalate his privileges to Domain Administrator. Even if Domain escalation is not possible, the attacker will at least get the Local Administrator’s credentials.
Users are strongly advised to update their systems to the latest version released by the vendor.
–The press team
You can use the images in this post under the Creative Commons Attribution 4.0 International License.