Critical Veeam Recovery Orchestrator Auth Bypass Exploit Released: Immediate Patching Required

June 13, 2024

A proof-of-concept (PoC) exploit for a severe authentication bypass vulnerability in Veeam Recovery Orchestrator, known as CVE-2024-29855, has been made public, thereby escalating the potential for exploitation.

The exploit was created by security researcher Sina Kheirkha, who also detailed the vulnerability on his website. According to Kheirkha, the flaw is easier to exploit than what the vendor's bulletin initially suggested.

CVE-2024-29855, which has a critical rating of 9.0 according to CVSS v3.1, affects Veeam Recovery Orchestrator versions 7.0.0.337 and 7.1.0.205 and older. This vulnerability enables unauthorized attackers to gain access to the Veeam Recovery Orchestrator web user interface with administrative rights.

The issue stems from the use of a hardcoded JSON Web Token (JWT) secret, which allows attackers to generate valid JWT tokens for any user, including administrators. The JWT secret generates and validates tokens without any randomness or uniqueness in each installation, making it predictable and static enough to be exploited.

Veeam's security bulletin recommends upgrading to the patched versions 7.1.0.230 and 7.0.0.379 to address the vulnerability. The bulletin also describes the conditions necessary to exploit the flaw, including knowing a valid username and role and targeting a user with an active session. "The attacker must know the exact username and role of an account that has an active VRO UI access token to accomplish the hijack," Veeam's bulletin states.

However, Kheirkha's write-up demonstrates that some of these requirements can be bypassed with minimal effort, making this vulnerability more potent and impactful. Kheirkha found that the role requirement can be easily overcome as there are only five potential roles (DRSiteAdmin, DRPlanAuthor, DRPlanOperator, and SiteSetupOperator). The exploit script was designed to cycle through these roles when generating JWT tokens until a match is found.

To find a username for the attack, the researcher noted that the SSL certificate, which can be obtained simply by connecting to the target endpoint, typically contains enough information to derive the domain and potential usernames for a token spraying attack. "The "knowing the username" problem "kind of" can be solved with the following solution: assuming there exists a user named administrator@evilcorp.local, one can find the domain name by looking at the CN field of the SSL certificate, and the username can be sprayed," the researchers at the Summoning Team explain.

In terms of the "active session" requirement, Kheirkha's PoC script generates and tests JWT tokens over a range of timestamps to increase the likelihood of hitting an active session. A more targeted and stealthy approach would involve investigating user activity times. Alternatively, a 'brute force' approach could involve continuous attempts until an active session token is matched.

Now that the exploit for CVE-2024-29855 is publicly available, attackers are likely to attempt to leverage it against unpatched systems. Therefore, it is crucial to apply the available security updates as soon as possible.

Latest News

• Rockwell's ICS Advisory Amid Rising Critical Infrastructure Threats
• Biometric Security Vulnerabilities Uncovered: Authentication Risks in the Spotlight
• Google Addresses Android Zero-Day Exploit on Pixel Devices
• Black Basta Ransomware Group Suspected of Exploiting Windows Zero-Day Vulnerability
• Microsoft Rectifies 51 Security Flaws Including a Critical MSMQ Vulnerability