CVE-2023-27532

Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.

Recent assessments:

sfewer-r7 at March 14, 2023 2:49pm UTC reported:

On March 7, 2023, Veeam published an advisory, along with patches, for CVE-2023-27532. This vulnerability affects Veeam Backup & Replication versions 12 (before version 12.0.0.1420 P20230223) and 11 (before version 11.0.1.1261 P20230227). An unauthenticated attacker is able to retrieve encrypted credentials from the Veeam Backup service, which listens on TCP port 9401 by default. The original CVE was given a CVSS score of 7.5 and a severity of High, due to newly available information, this seems to underestimate the impact this vulnerability can have.

On March 9, 2023, CODE WHITE GmbH tweeted that it was possible to retrieve plaintext credentials from the Veeam Backup service. The original advisory stated only encrypted credentials could be leaked, so this development significantly increases the impact of this vulnerability.

On March 13, 2023, Huntress published an article demonstrating how arbitrary code execution can be achieved. By leveraging the initial vulnerability to retrieve the encrypted credentials, the plaintext credentials can be retrieved by calling another unauthenticated endpoint on the Veeam Backup & Replication server. Finally the newly discovered credential appears to be used to call an authenticated endpoint to achieve arbitrary code execution with local system privileges. Huntress have not published full details of the exploit nor any proof of concept code.

On March 17, 2023, researcher Y4er published technical details on how to retrieve the encrypted credentials from a vulnerable Veeam Backup & Replication server.

Veeam Backup & Replication is a high value target for an attacker, and this product has been featured on the CISA Known Exploited Vulnerabilities Catalog in 2022 for two different CVE’s.

While it is unlikely to see the vulnerable service broadly exposed on internet-facing systems, for an attacker with initial access into a corporate network, this will be a target of great interest. In particular we can expect ransomware groups to leverage this vulnerability in future ransomware campaigns.

cbeek-r7 at October 13, 2023 11:33am UTC reported:

On March 7, 2023, Veeam published an advisory, along with patches, for CVE-2023-27532. This vulnerability affects Veeam Backup & Replication versions 12 (before version 12.0.0.1420 P20230223) and 11 (before version 11.0.1.1261 P20230227). An unauthenticated attacker is able to retrieve encrypted credentials from the Veeam Backup service, which listens on TCP port 9401 by default. The original CVE was given a CVSS score of 7.5 and a severity of High, due to newly available information, this seems to underestimate the impact this vulnerability can have.

On March 9, 2023, CODE WHITE GmbH tweeted that it was possible to retrieve plaintext credentials from the Veeam Backup service. The original advisory stated only encrypted credentials could be leaked, so this development significantly increases the impact of this vulnerability.

On March 13, 2023, Huntress published an article demonstrating how arbitrary code execution can be achieved. By leveraging the initial vulnerability to retrieve the encrypted credentials, the plaintext credentials can be retrieved by calling another unauthenticated endpoint on the Veeam Backup & Replication server. Finally the newly discovered credential appears to be used to call an authenticated endpoint to achieve arbitrary code execution with local system privileges. Huntress have not published full details of the exploit nor any proof of concept code.

On March 17, 2023, researcher Y4er published technical details on how to retrieve the encrypted credentials from a vulnerable Veeam Backup & Replication server.

Veeam Backup & Replication is a high value target for an attacker, and this product has been featured on the CISA Known Exploited Vulnerabilities Catalog in 2022 for two different CVE’s.

While it is unlikely to see the vulnerable service broadly exposed on internet-facing systems, for an attacker with initial access into a corporate network, this will be a target of great interest. In particular we can expect ransomware groups to leverage this vulnerability in future ransomware campaigns.

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 5