In this exclusive deep dive blog post, we'll be going over CVE-2024-29850, a critical security vulnerability discovered in Veeam Backup Enterprise Manager (VBEM) that could allow attackers to take over accounts using an NTLM relay technique. We'll explore how the exploit works, provide a code snippet illustrating the vulnerability, and provide links to the original references for further understanding.

Background

Veeam Backup Enterprise Manager is a powerful software application designed for managing backup infrastructure, monitoring, reporting, and securing data in virtual environments. With this CVE-2024-29850 vulnerability, attackers with access to a victim's network can easily escalate their privileges to gain complete control over the backup server.

Exploit Details

The root cause of CVE-2024-29850 lies in the improper handling of NTLM authentication by VBEM. When a user logs into the application, the software sends an NTLM authentication message to the domain controller. If an attacker can intercept this message using a Man-in-the-Middle (MITM) technique, they can relay the NTLM authentication to the target server and gain unauthorized access.

To exploit this vulnerability, an attacker can use an existing technique called Responder, an open-source network poisoning tool. By launching Responder on the same network as the VBEM domain controller, the threat actor can capture the NTLM authentication message and relay it to the target server, giving them the ability to execute arbitrary code and take over the account.

Here's a Python snippet illustrating how to use the Responder tool for relaying NTLM authentication

import responder

# Responder settings
responder_args = [
    "-I", "eth",           #Specify network interface
    "--lm",                  #Enable Link-Local Multicast Name Resolution (LLMNR) poisoning
    "--wpad",                #Enable Web Proxy Automatic Discovery (WPAD) poisoning
    "--nbtns",               #Enable NetBIOS Name Service (NBT-NS) poisoning
    "-r",                    #Enable NTLMv1/NTLMv2 HTTP Relay
    "-w",                    #Enable NTLMv1/NTLMv2 HTTP Server
]

# Launch Responder
responder.main(responder_args)

The code above shows a simplified example of using the Responder tool. For a real-world attack scenario, an attacker would need to adapt the code to target specific servers and use other tools in conjunction with Responder to perform further exploitation.

Original References

1. Veeam Security Bulletin: VSB-2021-003
2. National Vulnerability Database: CVE-2024-29850
3. Responder GitHub Repository: Responder

Mitigation

As a temporary solution, Veeam recommends customers restrict access to the VBEM application only to trusted users and limit the ability for attackers to intercept traffic on their networks. Furthermore, customers should ensure that they have the latest updates installed for the Veeam Backup & Replication software.

To fully mitigate CVE-2024-29850, Veeam has addressed this vulnerability in its software updates. Customers are advised to upgrade their Veeam Backup & Replication applications to the latest version.

Conclusion

CVE-2024-29850 is a critical security vulnerability that allows account takeover via NTLM relay in Veeam Backup Enterprise Manager. It highlights the importance of keeping software up-to-date, regularly monitoring vulnerable services, and implementing robust network security practices to protect against MITM and NTLM relay exploits. By staying informed about the latest vulnerabilities and applying necessary patches, organizations can minimize the risk of falling prey to such attacks.

Timeline

Published on: 05/22/2024 23:15:08 UTC
Last modified on: 07/12/2024 20:28:19 UTC