A proof-of-concept (PoC) exploit for a Veeam Backup Enterprise Supervisor authentication bypass flaw tracked as CVE-2024-29849 is now publicly accessible, making it pressing that admins apply the most recent security updates.
Veeam Backup Enterprise Supervisor (VBEM) is a web-based platform for managing Veeam Backup & Replication installations through an online console. It helps management backup jobs and carry out restoration operations throughout a company’s backup infrastructure and large-scale deployments.
Veeam issued a security bulletin in regards to the important flaw on Might 21, warning a few important vulnerability enabling distant unauthenticated attackers to log in to VBEM’s net interface as any consumer.
The seller urged its clients to deal with the issue by upgrading to VBEM model 12.1.2.172, whereas additionally sharing mitigation suggestions for these unable to use the replace instantly.
Exploit particulars
In a technical writeup by Sina Kheirkha, the cybersecurity researcher explains that the flaw lies within the ‘Veeam.Backup.Enterprise.RestAPIService.exe’ service, which listens on TCP port 9398, functioning as a REST API server for the primary net software.
The exploit entails sending a specifically crafted VMware single-sign-on (SSO) token to the weak service utilizing the Veeam API.
The token accommodates an authentication request that impersonates an administrator consumer and an SSO service URL that Veeam, crucially, does not confirm.
The base64-encoded SSO token is decoded and interpreted in XML type to confirm its validity through a SOAP request to an attacker-controlled URL.
This rogue server arrange by the attacker responds positively to validation requests, so Veeam accepts the authentication request and provides administrator entry to the attacker.
Supply: summoning.staff
The offered exploit demonstrates all of the steps to use the vulnerability, together with organising a callback server, sending the crafted token, and retrieving an inventory of file servers as proof of profitable exploitation.
Addressing the dangers
Though no in-the-wild exploitation of CVE-2024-29849 has been reported but, the general public availability of a working exploit might change this in a short while. Subsequently, updating to model 12.1.2.172 or later as quickly as doable is important.
These unable to patch ought to comply with these suggestions:
- Restrict entry to the VBEM net interface by limiting community entry to solely trusted IP addresses.
- Implement firewall guidelines to dam unauthorized entry to the ports utilized by Veeam providers (e.g., port 9398 for the REST API).
- Allow multi-factor authentication for all accounts accessing VBEM.
- Deploy a Internet Utility Firewall to assist detect and block malicious requests focusing on VBEM.
- Repeatedly monitor and audit entry logs for any suspicious or unauthorized entry makes an attempt, and arrange alerts for login makes an attempt from untrusted IP addresses.
- Isolate the VBEM server from different important programs inside your community to include lateral motion threat.
