Pasquale `sid` Fiorillo, Francesco `ascii` Ongaro from ISGroup, an Italian Security firm, and Antonio `s4tan` Parata from ush team, have released a critical security advisory for any version of Veeam Backup & Replication prior to 8 Update 3.
The issue potentially involves 157,000 customers and 9.1 million Virtual Machines worldwide and could lead to full Domain Administrator compromise of the affected infrastructures.
Veeam Software provides backup, disaster recovery and virtualization management software for the VMware and Hyper-V environments.
- Advisory: http://www.ush.it/2015/10/08/veeam-backup-replication-6-7-8-local-privilege-escalation-vulnerability/
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5742
- Vendor patch: http://www.veeam.com/kb2068
- Press release: http://securityaffairs.co/wordpress/40891/hacking/veeam-zero-day.html