PoC Exploit Released for Veeam Authentication Bypass Flaw

Home/BOTNET, Compromised, Exploitation, Internet Security, Security Advisory, Security Update, vulnerability/PoC Exploit Released for Veeam Authentication Bypass Flaw

PoC Exploit Released for Veeam Authentication Bypass Flaw

A PoC exploit has been released for the critical Veeam Backup Enterprise Manager authentication bypass vulnerability, CVE-2024-29849, with a CVSS score of 9.8. This article explores the vulnerability, exploit, and potential implications for organizations using Veeam software.

CVE-2024-29849: The Vulnerability

On May 21, 2024, Veeam issued an advisory about CVE-2024-29849, a critical authentication bypass vulnerability in Veeam Backup Enterprise Manager. This flaw enables an unauthenticated attacker to log in to the web interface as any user, bypassing all authentication mechanisms.

The vulnerability is in Veeam.Backup.Enterprise.RestAPIService.exe, a REST API server component of Veeam Backup Enterprise Manager. This service listens on TCP port 9398 and functions as the API counterpart to the main web application, which operates on TCP port 9443.

The PoC exploit, created by Sina Kheirkhah of the Summoning Team, exploits the vulnerability by manipulating the Veeam.Backup.Enterprise.RestAPIService.CEnterpriseRestSessionManagerControllerStub.LogInAfterAuthentication method.

The exploit targets specific conditions within this method to bypass authentication. It involves crafting a malicious SAML assertion and sending it to the vulnerable Veeam service. This assertion tricks the service into validating the token and granting access to the attacker.

The exploit script, written in Python, automates this process and includes a callback server to handle the malicious SAML assertion.

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!