杭州江阴科强工业胶带有限公司

{"id":164407,"date":"2024-06-11T09:14:55","date_gmt":"2024-06-11T09:14:55","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=164407"},"modified":"2024-06-11T09:19:04","modified_gmt":"2024-06-11T09:19:04","slug":"veeam-cve-2024-29849-poc","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/164407\/hacking\/veeam-cve-2024-29849-poc.html","title":{"rendered":"Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. Patch it now!"},"content":{"rendered":"

<\/div>\n

A proof-of-concept (PoC) exploit code for a\u00a0Veeam Backup Enterprise Manager authentication bypass flaw CVE-2024-29849 is publicly available.<\/h2>\n\n\n\n

Researcher Sina Kheirkha analyzed the Veeam Backup Enterprise Manager authentication bypass flaw CVE-2024-29849<\/a> and a proof of concept exploit for this issue.<\/p>\n\n\n\n

The flaw CVE-2024-29849 is a critical vulnerability (CVSS score: 9.8) in Veeam Backup Enterprise Manager that could allow attackers to bypass authentication.<\/p>\n\n\n\n

Veeam Backup Enterprise Manager is a centralized management and reporting tool designed to simplify the administration of Veeam Backup & Replication environments. It offers a web-based interface that allows users to manage multiple Veeam Backup & Replication servers, monitor backup jobs, and generate reports.<\/gwmw><\/p>\n\n\n\n

\u201cThis vulnerability in Veeam Backup Enterprise Manager<\/strong> allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.\u201d reads the advisory<\/a> published by the vendor.<\/p>\n\n\n\n

The vulnerability was addressed with the release of version 12.1.2.172<\/a>. The company also provided the following mitigation:<\/p>\n\n\n\n

\n
This vulnerability can be mitigated by halting the Veeam Backup Enterprise Manager software.
To do this, stop and disable the following services:\n
\n
VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager)<\/li>\n\n\n\n
VeeamRESTSvc (Veeam RESTful API Service)
_{Note: Do not stop the \u2018Veeam Backup Server RESTful API Service\u2019.<\/sub><\/li>\n<\/ul>\n<\/li>\n\n\n\n}
Veeam Backup Enterprise Manager is compatible<\/a> with managing Veeam Backup & Replication servers running an older version than Veeam Backup Enterprise Manager. Therefore, if the Veeam Backup Enterprise Manager software is installed on a dedicated server<\/strong>, Veeam Backup Enterprise Manager can be upgraded to version 12.1.2.172 without the need to upgrade Veeam Backup & Replication immediately.<\/li>\n\n\n\n
Veeam Backup Enterprise Manager can be uninstalled<\/a> if it is not in use.<\/gwmw><\/gwmw><\/li>\n<\/ul>\n\n\n\n
Administrators are urged to apply the latest security updates as soon as possible due to the availability of the PoC.<\/gwmw><\/p>\n\n\n\n
Kheirkha explained that the issue resides in the ‘Veeam.Backup.Enterprise.RestAPIService.exe’ service (vVeeamRESTSvc<\/code> ), which is installed during the setup of the Veeam enterprise manager software.<\/p>\n\n\n\n
“When I started to analyze this vulnerability, first I was kind of disappointed on how little information veeam provided, just saying the authentication can be bypassed and not much more, however, just knowing it\u2019s something to do with Authentication<\/strong> and the mitigation suggesting the issue has something to do with the either \u201cVeeamEnterpriseManagerSvc\u201d or \u201cVeeamRESTSvc\u201d services, I began my patch diffing routine and realized the entry point, I\u2019ll introduce VeeamRESTSvc<\/code> also known as Veeam.Backup.Enterprise.RestAPIService.exe<\/code>” reads the post<\/strong><\/a> published by the researcher.<\/p>\n\n\n\n
The service listens on port TCP\/9398 and operated as a REST API server, which is basically an API version of the main web application that listens on port TCP\/9443<\/gwmw><\/p>\n\n\n\n
The exploit targets Veeam’s API by sending a specially crafted VMware single-sign-on (SSO) token to a vulnerable service. The expert used a token impersonating an administrator and used an SSO service URL that Veeam failed to verify. The token is initially base64-encoded, then decoded into XML and validated through a SOAP request to an attacker-controlled URL. Then a server under the control of the attack responds positively to the validation, granting the attacker administrator access. <\/p>\n\n\n\n
To detect exploitation attempts, the researcher recommends to analyze the following<\/gwmw> log file:<\/p>\n\n\n\n
C:\\ProgramData\\Veeam\\Backup\\Svc.VeeamRestAPI.log\n<\/code><\/pre>\n\n\n\nsearching for\u00a0Validating Single Sign-On token. Service enpoint URL:<\/code>\u00a0<\/p>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/gwmw><\/gwmw><\/gwmw>Follow me on Twitter:\u00a0@securityaffairs<\/strong><\/a>\u00a0and\u00a0Facebook<\/strong><\/a>\u00a0and\u00a0Mastodon<\/strong><\/a><\/gwmw><\/p>\n\n\n\n Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n (<\/strong>SecurityAffairs<\/strong><\/a> \u2013<\/strong> hacking, PoC exploit)<\/strong><\/p>\n\n\n\n <\/gwmw><\/p>\n","protected":false},"excerpt":{"rendered":" A proof-of-concept (PoC) exploit code for a\u00a0Veeam Backup Enterprise Manager authentication bypass flaw CVE-2024-29849 is publicly available. Researcher Sina Kheirkha analyzed the Veeam Backup Enterprise Manager authentication bypass flaw CVE-2024-29849 and a proof of concept exploit for this issue. The flaw CVE-2024-29849 is a critical vulnerability (CVSS score: 9.8) in Veeam Backup Enterprise Manager that could […]<\/p>\n","protected":false},"author":1,"featured_media":143224,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3323,5],"tags":[15154,4112,9508,9506,10918,687,841,1533,13474],"class_list":["post-164407","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-breaking-news","category-hacking","tag-cve-2024-29849","tag-hacking","tag-hacking-news","tag-information-security-news","tag-it-information-security","tag-pierluigi-paganini","tag-security-affairs","tag-security-news","tag-veem"],"yoast_head":"\n杭州江阴科强工业胶带有限公司