A number of vulnerabilities have been identified in Veeam Backup and Replication, including a pre-auth RCE (CVE-2024-40711) allowing for full system takeover.
Researchers investigating the RCE declined to release a PoC for their exploits of the vulnerability over fears they could be swiftly weaponised by ransomware gangs – although the exploit chain is somewhat challenging.
This should give busy admins a little longer to issue patches for the critical vulnerability, which has been given a CVSS score of 9.8, as well as the other bugs Veeam has disclosed - but speedy patching is still of the essence as attack path details are emerging.
Veeam vulnerability CVE-2024-40711: CVSS 9.8
Veeam says CVE-2024-40711 affects version 12.1.2.172 and below.
Code White researcher Florian Hauser discovered and reported the RCE vulnerability.
"No technical details from us this time because this might instantly be abused by ransomware gangs," Code White wrote in an X post.
Better patch your Veeam Backup & Replication servers! Full system takeover via CVE-2024-40711, discovered by our very own @frycos - no technical details from us this time because this might instantly be abused by ransomware gangs https://t.co/pGLq1RQi3n pic.twitter.com/uUkRA2wgji
— CODE WHITE GmbH (@codewhitesec) September 5, 2024
Researchers from attack surface firm WatchTowr confirmed the RCE's potential for exploitation without authentication in a detailed breakdown that also suggested Veeam may have tried to obfuscate how severe the vulnerability is.
In a blog, Sina Kheirkhah said it was a "complex vulnerability, requiring a lot of code-reading" and said: "We’ve successfully shown how multiple bugs can be chained together to gain RCE in a variety of versions of Veeam Backup & Replication."
"Every sysadmin is familiar with Veeam’s enterprise-oriented backup solution, ‘Veeam Backup & Replication’," Kheirkhah continued. "Unfortunately, so is every ransomware operator, given it's somewhat 'privileged position' in the storage world of most enterprise's networks."
What we're seeing is actually the effect of two separate bugs - one deserialisation bug (theObjRefwas omitted from the blacklist) and one improper authorization bug (anonymous connections were permitted byIsConnectingIdentityAuthorized).
It appears, interestingly, that Veeam patched these two separate bugs in two separate releases (despite Code White notifying them of both at the same time).
In the beginning, there was simply 12.1.0.2131. It contained an unauthenticated remote code execution vulnerability, CVE-2024-40711, comprised of two separate bugs.Veeam then patched the improper authorization component, and released 12.1.2.172. This had the effect of preventing anonymous exploitation, downgrading CVE-2024-40711 to an authenticated-only vulnerability.Then, three months later, they patched the deserialisation bug, creating 12.2.0.334. This fixes CVE-2024-40711 completely, preventing exploitation (spoiler: actually it doesn't, but that's a subject for a further blog post, since details are still under embargo). – WatchTowrSee also: Is Microsoft about to kick security vendors out of the kernel?
WatchTowr also took the unusual (for it) step of not releasing a PoC.
"We’re breaking with tradition on this bug by not releasing a full exploit chain (sorry, folks!)," Kheirkhah said. "We’re a little worried by just how valuable this bug is to malware operators, and so are (on this occasion only) refraining from dropping a working exploit."
As well as allowing an attacker to gain full control of a system, Censys reported that it lets the bad guys "manipulate data, and potentially move laterally within a network, making it a relatively high-value target for threat actors".
"This vulnerability is particularly concerning because it’s likely to be exploited by ransomware operators to compromise backup systems and potentially create double-extortion scenarios," it wrote.
"Earlier vulnerabilities in Veeam Backup & Replication, such as CVE-2023-27532 disclosed back in July, have already been exploited by ransomware groups like EstateRansomware, Akira, Cuba, and FIN7 for initial access, credential theft, and other malicious activities.
After not sleeping for 2 days, I finally cooked the exploit, unauthenticated RCE against Veeam backup and Replication CVE-2024-40711, Imma go sleep now https://t.co/kEja7CBnZn pic.twitter.com/qzuLSVfSr6
— SinSinology (@SinSinology) September 9, 2024
"Although it is currently unknown if CVE-2024-40711 is actively being exploited, its potential for extracting large volumes of data and enabling lateral movement within networks suggests it could become a target for ransomware attacks."
Rapid7 researchers reported that they are "not aware" of any exploitation of CVE-2024-40711 in the wild at the time of writing.
"Veeam Backup & Replication has a large deployment footprint, however, and several previous vulnerabilities affecting the software have been exploited in the wild, including by ransomware groups," Rapid7 warned. "It is possible that one or more of these vulnerabilities may be used to facilitate extortion attacks.
"More than 20% of Rapid7 incident response cases in 2024 so far have involved Veeam being accessed or exploited in some manner, typically once an adversary has already established a foothold in the target environment."
See also: Bank of England grapples with SAP, tech debt; brings in £60m of help
As well as patching the RCE bug, Veamm has also disclosed and fixed these other vulnerabilities:
CVE-2024-40713: A high severity vulnerability (CVSS 8.8) that "allows a user who has been assigned a low-privileged role within Veeam Backup & Replication to alter Multi-Factor Authentication (MFA) settings and bypass MFA."
CVE-2024-40710: A series of related high-severity vulnerabilities" with a CVSS score of 8.8. "The most notable enabling remote code execution (RCE) as the service account and extraction of sensitive information (saved credentials and passwords)," Veeam wrote. "Exploiting these vulnerabilities requires a user who has been assigned a low-privileged role within Veeam Backup & Replication."
CVE-2024-39718: A vulnerability that "allows a low-privileged user to remotely remove files on the system with permissions equivalent to those of the service account". This bug is high severity with a CVSS score of 8.1.
CVE-2024-40714: A high severity vulnerability (CVSS score: 8.3) in TLS certificate validation that "allows an attacker on the same network to intercept sensitive credentials during restore operations."
CVE-2024-40712: A high severity path traversal vulnerability that enables an attacker with a low-privileged account and local access to the system perform local privilege escalation (LPE). It has a CVSS score of 7.8.
All vulns have been patched in Veeam Backup & Replication 12.2 (build 12.2.0.334).
