CVE-2022-26501 Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).

In previous versions of Veeam Backup & Replication, there was no way to limit which end users could edit a job, or which computers that end users could schedule the job on. This could lead to a security issue, where a malicious user has the ability to change a critical backup job and negatively impact their entire company. In version 10.x and 11.x, you can now limit which end users can edit a job, and which computers they can schedule the job on. To do this, go to Settings > Management, click ‘Edit’ next to a Job, and change the ‘Edit’ permission to ‘Only these users’.

Veeam Backup & Replication and vSphere Integration

Veeam Backup & Replication has the ability to integrate with vSphere. When this is done, Veeam uses the vSphere API to schedule jobs on a vSphere cluster. This means that Veeam can now have end users schedule jobs on a vSphere cluster, but only those specific people allowed for that job can edit it.
This is also true for setting up the schedules for backup jobs in Veeam Backup & Replication. In earlier versions of VBR, you could set up job schedules using the buttons on the Jobs tab in VBR. A malicious user could click these buttons and potentially cause unexpected consequences with the backups they run. In version 10.x and 11.x, you can still access these settings through the Job Settings tab, but now only your administrator account has permission to schedule jobs!

Veeam ONE Update

In this version of Veeam ONE, we have added the ability to export data from a backup job. The user just needs to click the "Export" button on the top-right corner of their browser.

Veeam Backup & Replication 11.0 Updates

Veeam Backup & Replication 11.0 has plenty of new features, updates, and improvements to help IT Pros better manage their backup data. Veeam Cloud Connect is now a native service in Veeam Backup & Replication, providing IT Pros the ability to choose their preferred connectivity solution. In addition, you can now schedule backups without any administrative intervention.
New features in Veeam Backup & Replication 11.0 include:
- VMware vSphere 6 support
- VMware vCloud Air support
- Windows Server 2016 support
- Advanced Data Protection for AWS/Google/Azure Storage snapshots

Change the ‘Only these users’ permission to a more restrictive option

If you'd like to restrict a job's ‘Edit’ permission to a more restrictive option, you can do so by editing the Job setting in the Veeam Backup & Replication User Interface.
This will prevent users from changing a backup job that they have scheduled, but will allow them to schedule new jobs.

Veeam Backup & Replication – Find more information in our documentation

Veeam Backup & Replication 10.x and 11.x now provide a new way to control what end users can do during the backup process. By default, all end users can schedule a job and view it’s associated job settings, but in some cases this may not be ideal. This is where you can take control of who can edit a job by changing the ‘Edit’ permission on a Job.

Timeline

Published on: 03/17/2022 21:15:00 UTC
Last modified on: 03/24/2022 19:02:00 UTC

References