9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
On May 21, 2024, Veeam revealed a severe flaw across its Veeam Backup Enterprise Manager (VBEM) web interface that enables an unauthenticated attacker to log into the web interface as any user. Officially designated as CVE-2024-29849, the vulnerability presents a major threat with aCVSS V3 rating of 9.8 (critical).
VBEM is a web-based platform that allows administrators to oversee Veeam Backup and Replication installations through a web interface console. Hence, threat actors might exploit CVE-2024-29849 to carry out harmful activities, including obtaining unauthorized access to confidential information, altering data, or interrupting operations.
In a detailed research report released by Summoning Team, the flaw was identified on the TCP port 9398, which serves as a REST API server for the primary web application.
The exploitation method involves transmitting a specially crafted VMware single-sign-on (SSO) token to the vulnerable service via the Veeam API. This token includes an authentication request that mimics an administrator user and an SSO service URL that Veeam does not validate.
The base64-encoded SSO (Single Sign Out) token is decoded and processed as XML to confirm its validity through a SOAP request sent to a URL controlled by the attacker. The attackerβs rogue server responds affirmatively to validation requests, leading Veeam to accept the authentication request and grant administrator access to the attacker.
Source: Summoning Team
The image provided above demonstrates the outline of the entire process to take advantage of the vulnerability, which includes setting up a callback server, dispatching the crafted token, and obtaining a list of file servers as evidence of successful exploitation.
The company has also revealed three additional vulnerabilities affecting the same product:
Even though there have been no reports of CVE-2024-29849 being exploited in the wild, the public release of a functional exploit could spiral quickly alter this situation. Thus, it is crucial to update to version 12.1.2.172 or later as soon as possible.** **
*Note: Veeam emphasized that installing Veeam Backup Enterprise Manager is optional, and environments without this installation are not affected by the issues.
As Veeamβs cybersecurity woes continue to mount, the company officially acknowledged another exploit detected a few hours ago (0930 hrs - 06/10/2024).
Tagged as CVE-2024-29855 with a CVSS score of 9.0 (critical), the vulnerability was discovered in the Web Console component of VeeamβsRecovery Orchestrator.
The Veeam Recovery Orchestrator (VRO) is an integral component of the Veeam Data Platform. Ironically, the sole purpose of the orchestrator tool is to improve recovery processes by enabling businesses to define, test, and prepare for data outages. The flexibility to select the appropriate recovery method is vital, particularly in the face of cyber threats.
The vulnerability allows attackers to access the VRO web UI with administrative privileges by exploiting a compromised hard-coded JWT Secret Key that allows authentication bypass.
Versions affected | VRO****7.0.0.337 |
---|---|
Severity | Critical |
CVSS V3 Score | 9.0 |
Mitigation Steps | Patch Available |
Gartner predicts that by 2025, fewer than 50% of enterprise APIs will be properly managed, leaving a significant portion of APIs beyond the reach of security controls. Hence, organizations face the challenges of managing the rapid increase in API usage (externally and internally), resulting in an attack surface that is constantly growing!
With Wallarmβs fully integrated API & Application Security platform, you can now gain complete visibility into your entire API portfolio, monitor sensitive data flows, and identify risks.
To learn how Wallarmβs platform enables these countermeasure checks, visit our official website.
The post CVE-2024-29849: Veeam discloses Critical Vulnerability that allows attackers to bypass user authentication on its Backup Enterprise Manager web interface appeared first on Wallarm.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%