A security bulletin issued by Veeam on May 21, 2024 warned its users of a critical vulnerability in Veeam Backup Enterprise Manager (VBEM). A proof-of-concept (PoC) exploit for this authentication bypass flaw is now publicly available! Vulnerability CVE-2024-29849 allows an attacker to bypass authentication and take control of the system. It is urgent for administrators to apply the latest security updates…
What is Veeam Backup Enterprise Manager and which systems are affected?
Veeam Backup Enterprise Manager (VBEM) is a web-based, console-based platform for managing Veeam Backup & Replication installations. Multiple Veeam Backup & Replication servers can be managed via this single console. It enables administrators to control backup tasks and perform restore operations within their organization’s infrastructure, or to launch large-scale deployments.
Veeam, in its security bulletin of May 21, updated on June 10, notified that VBEM deployment is optional and that it is not installed and activated by default in all environments. If this additional application is not deployed in your environment, it will not be affected by these vulnerabilities.
However, Veeam provides the following tip: “You can identify whether VBEM is installed by checking for the presence of the Veeam Backup Enterprise Manager service or by running the following PowerShell command on the Veeam Backup server to see if VBR reports that it is managed by a VBEM deployment.”
Get-VBRServer | Out-Null
[Veeam.Backup.Core.SBackupOptions]::GetEnterpriseServerInfo() | Format-List
The authentication bypass vulnerability: CVE-2024-29849
The critical vulnerability CVE-2024-29849 allows a remote attacker to bypass authentication, connect to VBEM’s web interface and take control of the system. All versions prior to 12.1.2.172 that deployed via Veeam Backup Enterprise Manager are affected.
Veeam has assigned a CVSS score of 9.8/10 to the critical security flaw CVE-2024-29849. It further warned, “This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log into the Veeam Backup Enterprise Manager web interface as any user.”
To resolve the problem, Veeam has invited its customers to upgrade to VBEM version 12.1.2.172, which is available for download here on its official website. For those unable to patch quickly, Veeam recommends disabling the following services to mitigate the vulnerability:
- VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager)
- VeeamRESTSvc (Veeam RESTful API)
Note from Veeam: “On servers where VBEM and VBR are installed, there will be two services with similar names. The service named ‘Veeam Backup Server RESTful API Service’ belongs to the Veeam Backup & Replication software and does not need to be stopped as part of this mitigation.”
The editor points out that disabling these services will not prevent the installation of the 12.1.2 update, but that after the update, the services will have to be reset so that they start automatically. Finally, it also recommends uninstalling VBEM if it is installed and not in use, in order to eliminate the attack vector.
At the same time, Veeam has also corrected several high-severity vulnerabilities in VBEM.
- The CVE-2024-29850 flaw (CVSS score of 8.8/10) allows an account to be taken over via an NTLM relay
- The CVE-2024-29851 flaw (CVSS score of 7.2 /10) allows high-privilege users to steal the NTLM hash of the Veeam Backup Enterprise Manager service account if it is not configured to run as the default Local System account.
- The CVE-2024-29852 flaw (CVSS score of 2.7 /10) this low-level vulnerability allows an attacker with elevated privileges to read backup session logs.
Exploit details
Cybersecurity researcher Sina Kheirkha (@SinSinology), has published a technical article on Summoning Team. In it, he explains that the problem lies in the ‘Veeam.Backup.Enterprise.RestAPIService.exe’ service, which is installed when the Veeam Enterprise Manager software is installed.
This service, which listens on TCP port 9398, functions as a REST API server for the main web application. In the context of Veeam Backup Enterprise Manager, this enables users and administrators to interact with the backup system via standardized HTTP requests, to perform operations such as backup management, restore point recovery, and other administrative functions.
In his article the researcher writes at the start of his analysis: “When I started analyzing this vulnerability, I was initially a bit disappointed by the little information provided by Veeam, contenting itself with saying that authentication can be bypassed and not much more, however, knowing that this is an authentication issue and that mitigation suggests that the problem is related to the “VeeamEnterpriseManagerSvc” or “VeeamRESTSvc” services, I started my patch differentiation routine and realized the entry point, I’m going to introduce VeeamRESTSvc also known as Veeam. Backup.Enterprise.RestAPIService.exe”
“This service, installed when the veeam enterprise manager software is installed, listens on port TCP/9398 and, as its name suggests, is a REST API server, which is actually an API version of the main web application, which is on port TCP/9443.” explains the cybersecurity researcher .
The exploit targets the Veeam API by sending a specially crafted VMware single sign-on (SSO) token to the vulnerable service. The expert therefore sent a token containing an authentication request that impersonates an administrator, and used an SSO service URL that Veeam did not verify.
This token is base64 encoded, then decoded into XML and validated by a SOAP request to a URL controlled by the attacker.
The server set up and controlled by the attacker then responds positively to the validation requests, giving the attacker administrator access since Veeam has accepted his authentication request.
The exploit provided by Sina Kheirkha details all the steps required to exploit this vulnerability: setting up a callback server, sending the signature token and retrieving a list of file servers as proof of successful exploitation.
Protecting against risks
In its June 10 article, BleepingComputer warns us, although to date no exploits have been reported. The public release could quickly change the situation if the usual updates and protections are not applied. It is therefore essential to update to version 12.1.2.172 or later as soon as possible.
In the meantime, for those who are unable to apply the patch, we recommend that you take the following precautions:
- Restrict network access to trusted IP addresses to limit access to VBEM.
- Implement firewall rules to block unauthorized access to ports used by Veeam services
- Secure authentication for all accounts accessing VBEM, using multi-factor authentication for example.
- Deploy a firewall to detect and block malicious requests targeting VBEM.
- Regularly monitor and audit access logs to detect unauthorized attempts and set up alerts.
- Isolate the server from other network systems to limit the risk of compromise.
Finally, to detect any attempted exploitation, Sina Kheirkha recommends analyzing the following log file:
C:\\ProgramData\Veeam\Backup\Svc.VeeamRestAPI.log
Search for ‘Validating Single Sign-On token. Service enpoint URL:‘ inside this file and if you see it, it means you’ve had an exploit attempt.
References and analysis :
Bypassing Veeam Authentication CVE-2024-29849 (summoning.team)
Exploit for critical Veeam auth bypass available, patch now (bleepingcomputer.com)
Release Information for Veeam Backup & Replication 12.1 and Updates (veeam.com)
