Critical Veeam Recovery Orchestrator Auth Bypass Exploit Released: Immediate Patching Required

June 13, 2024

A proof-of-concept (PoC) exploit for a severe authentication bypass vulnerability in Veeam Recovery Orchestrator, known as CVE-2024-29855, has been made public, thereby escalating the potential for exploitation.

The exploit was created by security researcher Sina Kheirkha, who also detailed the vulnerability on his website. According to Kheirkha, the flaw is easier to exploit than what the vendor's bulletin initially suggested.

CVE-2024-29855, which has a critical rating of 9.0 according to CVSS v3.1, affects Veeam Recovery Orchestrator versions and and older. This vulnerability enables unauthorized attackers to gain access to the Veeam Recovery Orchestrator web user interface with administrative rights.

The issue stems from the use of a hardcoded JSON Web Token (JWT) secret, which allows attackers to generate valid JWT tokens for any user, including administrators. The JWT secret generates and validates tokens without any randomness or uniqueness in each installation, making it predictable and static enough to be exploited.

Veeam's security bulletin recommends upgrading to the patched versions and to address the vulnerability. The bulletin also describes the conditions necessary to exploit the flaw, including knowing a valid username and role and targeting a user with an active session. "The attacker must know the exact username and role of an account that has an active VRO UI access token to accomplish the hijack," Veeam's bulletin states.

However, Kheirkha's write-up demonstrates that some of these requirements can be bypassed with minimal effort, making this vulnerability more potent and impactful. Kheirkha found that the role requirement can be easily overcome as there are only five potential roles (DRSiteAdmin, DRPlanAuthor, DRPlanOperator, and SiteSetupOperator). The exploit script was designed to cycle through these roles when generating JWT tokens until a match is found.

To find a username for the attack, the researcher noted that the SSL certificate, which can be obtained simply by connecting to the target endpoint, typically contains enough information to derive the domain and potential usernames for a token spraying attack. "The "knowing the username" problem "kind of" can be solved with the following solution: assuming there exists a user named administrator@evilcorp.local, one can find the domain name by looking at the CN field of the SSL certificate, and the username can be sprayed," the researchers at the Summoning Team explain.

In terms of the "active session" requirement, Kheirkha's PoC script generates and tests JWT tokens over a range of timestamps to increase the likelihood of hitting an active session. A more targeted and stealthy approach would involve investigating user activity times. Alternatively, a 'brute force' approach could involve continuous attempts until an active session token is matched.

Now that the exploit for CVE-2024-29855 is publicly available, attackers are likely to attempt to leverage it against unpatched systems. Therefore, it is crucial to apply the available security updates as soon as possible.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.