A proof-of-concept (PoC) exploit for CVE-2024-29849, a critical authentication bypass vulnerability in Veeam’s Backup Enterprise Manager (VBEM), is now publicly available.
The exploit leverages a flaw in VBEM’s “Veeam.Backup.Enterprise.RestAPIService” service, which allows a threat actor to send a specially crafted VMware token to the service using the Veeam API.
The fake token contains a request to authenticate as an administrator user via a Single Sign-On (SSO) service URL, under the control of threat actors, that isn’t verified. This allows threat actors to set up rogue servers that respond positively to such authentication requests, which Veeam wrongly accepts, and ultimately provides administrator access to the threat actor.
The exploit comes almost three weeks after Veeam announced the vulnerability and encouraged users to update to version 12.1.2.172.
Source: Bleeping Computer
Analysis
To date, there is no evidence that CVE-2024-29849 has been exploited, however, that is likely to change soon given the public availability of a suitable exploit, along with detailed instructions for how to use it.
Backup software, such as VBEM, is frequently targeted by threat actors looking for sensitive information that could be ransomed or exposed online, leading to privacy concerns and reputational damage.
For example, in 2023, Veeam discovered and patched a high-severity vulnerability, designated CVE-2023-27532, in its Backup and Replication software. Despite the availability of a patch, the vulnerability was quickly exploited by financially motivated and ransomware actors. Several months later, Cuba ransomware affiliates used the same vulnerability in attacks targeting U.S. critical infrastructure and IT companies based in Latin America.
The recency and impact of CVE-2023-27532 have us hopeful that many users have already upgraded their VBEM instances to the latest version or implemented essential mitigations.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like VBEM. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these vulnerabilities.
Field Effect MDR users have already been notified if a vulnerable version of VBEM was detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
We strongly encourage users of the affected VBEM versions to update to the latest version if they haven’t already done so, in accordance with Veeam’s advisory. Those who can’t update are encouraged to:
- Limit access to the VBEM web interface to trusted IP addresses.
- Implement firewall rules to block unauthorized access to the ports used by Veeam services (e.g., port 9398 for the REST API).
- Enable multi-factor authentication for all accounts accessing VBEM.
- Deploy a Web Application Firewall (WAF) to help detect and block malicious requests targeting VBEM.
- Regularly monitor and audit access logs for any suspicious or unauthorized access attempts, and set up alerts for login attempts from untrusted IP addresses.
- Isolate the VBEM server from other critical systems within your network to contain lateral movement risk.
Related Articles
