A proof-of-concept (PoC) exploit for an authentication bypass vulnerability in Veeam Backup Enterprise Manager, identified as CVE-2024-29849, has been made public. This highlights the urgency for administrators to apply the latest security updates.
Veeam Backup Enterprise Manager (VBEM) is a web platform used to manage Veeam Backup & Replication installations through a web console. This tool is essential for controlling backup jobs and performing restoration operations in an organization’s backup infrastructure.
On May 21, Veeam issued a security bulletin warning about a critical vulnerability that allows remote unauthenticated attackers to access the VBEM web interface as any user. The company urged its customers to update to version 12.1.2.172 of VBEM and provided mitigation advice for those who cannot apply the update immediately.
Exploit Details
In a technical analysis conducted by Sina Kheirkha, a cybersecurity researcher, it is explained that the vulnerability resides in the ‘Veeam.Backup.Enterprise.RestAPIService.exe’ service, which listens on TCP port 9398 and functions as a REST API server for the main web application.
The exploit involves sending a specially crafted VMware Single Sign-On (SSO) token to the vulnerable service using the Veeam API. The token includes an authentication request that impersonates an administrator user and an SSO service URL that Veeam does not verify.
The base64-encoded SSO token is decoded and interpreted as XML to validate its authenticity through a SOAP request to a URL controlled by the attacker. This malicious server positively responds to validation requests, allowing Veeam to accept the authentication request and grant administrator access to the attacker.
The available exploit demonstrates all the necessary steps to exploit the vulnerability, including setting up a callback server, sending the manipulated token, and retrieving a list of file servers as proof of successful exploitation.
Risk Mitigation
While no real-world exploits of CVE-2024-29849 have been reported yet, the public availability of a functional exploit could quickly change this situation. Therefore, it is critical to update to version 12.1.2.172 or later as soon as possible.
For those unable to apply the patch immediately, the following measures are recommended:
Limit access to the VBEM web interface by restricting network access only to trusted IP addresses.
Implement firewall rules to block unauthorized access to ports used by Veeam services (e.g., port 9398 for the REST API).
Enable multi-factor authentication for all accounts accessing VBEM.
Deploy a web application firewall to help detect and block malicious requests targeting VBEM.
Regularly monitor and audit access logs for suspicious or unauthorized access attempts, and set up alerts for login attempts from untrusted IP addresses.
Isolate the VBEM server from other critical systems within your network to contain the risk of lateral movements.
The swift adoption of these measures can be crucial in protecting organizations’ backup infrastructure and avoiding potential security breaches.
Source: Bleeping Computer