Veeam Backup Enterprise Manager’s Critical Authentication Bypass Flaw: Public Exploit Available

June 10, 2024

A proof-of-concept (PoC) exploit for a critical vulnerability in Veeam Backup Enterprise Manager (VBEM), tracked as CVE-2024-29849, is now publicly accessible. This situation heightens the urgency for administrators to apply the latest security updates.

VBEM is a web-oriented platform used to manage Veeam Backup & Replication installations via a web console. It facilitates the control of backup jobs and the execution of restoration operations across an organization's backup infrastructure and large-scale deployments. The critical flaw was addressed by Veeam in a security bulletin issued on May 21. The vulnerability allows remote unauthenticated attackers to log into the VBEM's web interface as any user. Veeam strongly advised its customers to resolve the issue by upgrading to VBEM version 12.1.2.172 and also provided mitigation strategies for those who could not immediately apply the update.

The flaw, as explained by cybersecurity researcher Sina Kheirkha in a technical writeup, is located in the 'Veeam.Backup.Enterprise.RestAPIService.exe' service. This service, which listens on TCP port 9398, functions as a REST API server for the main web application. The exploit is carried out by sending a specially crafted VMware single-sign-on (SSO) token to the vulnerable service using the Veeam API. The token includes an authentication request that impersonates an administrator user and an SSO service URL that Veeam does not verify.

The base64-encoded SSO token is decoded and examined in XML form to confirm its validity via a SOAP request to a URL controlled by the attacker. This rogue server, established by the attacker, responds affirmatively to validation requests, leading Veeam to accept the authentication request and grant administrator access to the attacker. The provided exploit illustrates all the steps required to exploit the vulnerability, including setting up a callback server, sending the crafted token, and obtaining a list of file servers as evidence of successful exploitation.

As of now, there have been no reports of CVE-2024-29849 being exploited in the wild. However, the public availability of a working exploit may alter this situation rapidly. Therefore, updating to version 12.1.2.172 or later as soon as feasible is of paramount importance. For those unable to apply the patch immediately, they should follow the recommendations provided by Veeam.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.