On May 21, 2024, Veeam revealed a severe flaw across its Veeam Backup Enterprise Manager (VBEM) web interface that enables an unauthenticated attacker to log into the web interface as any user. Officially designated as CVE-2024-29849, the vulnerability presents a major threat with a CVSS V3 rating of 9.8 (critical).
VBEM is a web-based platform that allows administrators to oversee Veeam Backup and Replication installations through a web interface console. Hence, threat actors might exploit CVE-2024-29849 to carry out harmful activities, including obtaining unauthorized access to confidential information, altering data, or interrupting operations.
Details about the exploit
In a detailed research report released by Summoning Team, the flaw was identified on the TCP port 9398, which serves as a REST API server for the primary web application.
The exploitation method involves transmitting a specially crafted VMware single-sign-on (SSO) token to the vulnerable service via the Veeam API. This token includes an authentication request that mimics an administrator user and an SSO service URL that Veeam does not validate.
The base64-encoded SSO (Single Sign Out) token is decoded and processed as XML to confirm its validity through a SOAP request sent to a URL controlled by the attacker. The attacker’s rogue server responds affirmatively to validation requests, leading Veeam to accept the authentication request and grant administrator access to the attacker.
The image provided above demonstrates the outline of the entire process to take advantage of the vulnerability, which includes setting up a callback server, dispatching the crafted token, and obtaining a list of file servers as evidence of successful exploitation.
Next Steps
The company has also revealed three additional vulnerabilities affecting the same product:
- CVE-2024-29850 (CVSS score: 8.8), enabling account takeover through NTLM relay
- CVE-2024-29851 (CVSS score: 7.2), allowing users to steal NTLM hashes of a Veeam Backup Enterprise Manager service account if it isn’t set to run as the default Local System account
- CVE-2024-29852 (CVSS score: 2.7), enabling permission to read backup session logs
Even though there have been no reports of CVE-2024-29849 being exploited in the wild, the public release of a functional exploit could spiral quickly alter this situation. Thus, it is crucial to update to version 12.1.2.172 or later as soon as possible.
*Note: Veeam emphasized that installing Veeam Backup Enterprise Manager is optional, and environments without this installation are not affected by the issues.