CVE-2024-29849: Veeam discloses Critical Vulnerability that allows attackers to bypass user authentication on its Backup Enterprise Manager web interface

On May 21, 2024, Veeam revealed a severe flaw across its Veeam Backup Enterprise Manager (VBEM) web interface that enables an unauthenticated attacker to log into the web interface as any user. Officially designated as CVE-2024-29849, the vulnerability presents a major threat with a CVSS V3 rating of 9.8 (critical).

VBEM is a web-based platform that allows administrators to oversee Veeam Backup and Replication installations through a web interface console. Hence, threat actors might exploit CVE-2024-29849 to carry out harmful activities, including obtaining unauthorized access to confidential information, altering data, or interrupting operations.

Details about the exploit

In a detailed research report released by Summoning Team, the flaw was identified on the TCP port 9398, which serves as a REST API server for the primary web application. 

The exploitation method involves transmitting a specially crafted VMware single-sign-on (SSO) token to the vulnerable service via the Veeam API. This token includes an authentication request that mimics an administrator user and an SSO service URL that Veeam does not validate.

The base64-encoded SSO (Single Sign Out) token is decoded and processed as XML to confirm its validity through a SOAP request sent to a URL controlled by the attacker. The attacker's rogue server responds affirmatively to validation requests, leading Veeam to accept the authentication request and grant administrator access to the attacker.

The image provided above demonstrates the outline of the entire process to take advantage of the vulnerability, which includes setting up a callback server, dispatching the crafted token, and obtaining a list of file servers as evidence of successful exploitation.

Next Steps

The company has also revealed three additional vulnerabilities affecting the same product:

• CVE-2024-29850 (CVSS score: 8.8), enabling account takeover through NTLM relay
• CVE-2024-29851 (CVSS score: 7.2), allowing users to steal NTLM hashes of a Veeam Backup Enterprise Manager service account if it isn't set to run as the default Local System account
• CVE-2024-29852 (CVSS score: 2.7), enabling permission to read backup session logs

All the vulnerabilities have been resolved in version 12.1.2.172

Even though there have been no reports of CVE-2024-29849 being exploited in the wild, the public release of a functional exploit could spiral quickly alter this situation. Thus, it is crucial to update to version 12.1.2.172 or later as soon as possible.

*Note: Veeam emphasized that installing Veeam Backup Enterprise Manager is optional, and environments without this installation are not affected by the issues.

[LATEST UPDATE]

As Veeam’s cybersecurity woes continue to mount, the company officially acknowledged another exploit detected a few hours ago (0930 hrs - 06/10/2024). 

Tagged as CVE-2024-29855 with a CVSS score of 9.0 (critical), the vulnerability was discovered in the Web Console component of Veeam’s Recovery Orchestrator. 

The Veeam Recovery Orchestrator (VRO) is an integral component of the Veeam Data Platform. Ironically, the sole purpose of the orchestrator tool is to improve recovery processes by enabling businesses to define, test, and prepare for data outages. The flexibility to select the appropriate recovery method is vital, particularly in the face of cyber threats.

The vulnerability allows attackers to access the VRO web UI with administrative privileges by exploiting a compromised hard-coded JWT Secret Key that allows authentication bypass.

Versions affected	VRO 7.0.0.337
Severity	Critical
CVSS V3 Score	9.0
Mitigation Steps	Patch Available

Vulnerability Mitigation with the help of Wallarm

Gartner predicts that by 2025, fewer than 50% of enterprise APIs will be properly managed, leaving a significant portion of APIs beyond the reach of security controls. Hence, organizations face the challenges of managing the rapid increase in API usage (externally and internally), resulting in an attack surface that is constantly growing!

With Wallarm’s fully integrated API & Application Security platform, you can now gain complete visibility into your entire API portfolio, monitor sensitive data flows, and identify risks. 

• API Discovery: This includes Shadow APIs, Rogue APIs, Zombie APIs, and deprecated endpoints to help improve control over your attack surface and reduce risk
• Track Sensitive Data: Understand sensitive data usage, including PII, financial transactions, health data, or credentials, to ensure total compliance with applicable regulations/standards
• Detect API Secrets Exposure: Find out if API tokens and secret keys are being stored in the API source code/frontend code/source tree, which exposes them to the mercy of malicious actors (e.g., JWT tokens, API keys)

To learn how Wallarm's platform enables these countermeasure checks, visit our official website.