Pierluigi Paganini June 11, 2024

A proof-of-concept (PoC) exploit code for a Veeam Backup Enterprise Manager authentication bypass flaw CVE-2024-29849 is publicly available.

Researcher Sina Kheirkha analyzed the Veeam Backup Enterprise Manager authentication bypass flaw CVE-2024-29849 and a proof of concept exploit for this issue.

The flaw CVE-2024-29849 is a critical vulnerability (CVSS score: 9.8) in Veeam Backup Enterprise Manager that could allow attackers to bypass authentication.

Veeam Backup Enterprise Manager is a centralized management and reporting tool designed to simplify the administration of Veeam Backup & Replication environments. It offers a web-based interface that allows users to manage multiple Veeam Backup & Replication servers, monitor backup jobs, and generate reports.

“This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.” reads the advisory published by the vendor.

The vulnerability was addressed with the release of version 12.1.2.172. The company also provided the following mitigation:

• This vulnerability can be mitigated by halting the Veeam Backup Enterprise Manager software.
  To do this, stop and disable the following services:
  • VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager)
  • VeeamRESTSvc (Veeam RESTful API Service)
    _{Note: Do not stop the ‘Veeam Backup Server RESTful API Service’.}
• Veeam Backup Enterprise Manager is compatible with managing Veeam Backup & Replication servers running an older version than Veeam Backup Enterprise Manager. Therefore, if the Veeam Backup Enterprise Manager software is installed on a dedicated server, Veeam Backup Enterprise Manager can be upgraded to version 12.1.2.172 without the need to upgrade Veeam Backup & Replication immediately.
• Veeam Backup Enterprise Manager can be uninstalled if it is not in use.

Administrators are urged to apply the latest security updates as soon as possible due to the availability of the PoC.

Kheirkha explained that the issue resides in the ‘Veeam.Backup.Enterprise.RestAPIService.exe’ service (vVeeamRESTSvc ), which is installed during the setup of the Veeam enterprise manager software.

“When I started to analyze this vulnerability, first I was kind of disappointed on how little information veeam provided, just saying the authentication can be bypassed and not much more, however, just knowing it’s something to do with Authentication and the mitigation suggesting the issue has something to do with the either “VeeamEnterpriseManagerSvc” or “VeeamRESTSvc” services, I began my patch diffing routine and realized the entry point, I’ll introduce VeeamRESTSvc also known as Veeam.Backup.Enterprise.RestAPIService.exe” reads the post published by the researcher.

The service listens on port TCP/9398 and operated as a REST API server, which is basically an API version of the main web application that listens on port TCP/9443

The exploit targets Veeam’s API by sending a specially crafted VMware single-sign-on (SSO) token to a vulnerable service. The expert used a token impersonating an administrator and used an SSO service URL that Veeam failed to verify. The token is initially base64-encoded, then decoded into XML and validated through a SOAP request to an attacker-controlled URL. Then a server under the control of the attack responds positively to the validation, granting the attacker administrator access.

To detect exploitation attempts, the researcher recommends to analyze the following log file:

C:\ProgramData\Veeam\Backup\Svc.VeeamRestAPI.log

searching for Validating Single Sign-On token. Service enpoint URL: 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PoC exploit)