A PoC exploit has been released for the critical Veeam Backup Enterprise Manager authentication bypass vulnerability, CVE-2024-29849, with a CVSS score of 9.8. This article explores the vulnerability, exploit, and potential implications for organizations using Veeam software.
CVE-2024-29849: The Vulnerability
On May 21, 2024, Veeam issued an advisory about CVE-2024-29849, a critical authentication bypass vulnerability in Veeam Backup Enterprise Manager. This flaw enables an unauthenticated attacker to log in to the web interface as any user, bypassing all authentication mechanisms.
The vulnerability is in Veeam.Backup.Enterprise.RestAPIService.exe, a REST API server component of Veeam Backup Enterprise Manager. This service listens on TCP port 9398 and functions as the API counterpart to the main web application, which operates on TCP port 9443.
The PoC exploit, created by Sina Kheirkhah of the Summoning Team, exploits the vulnerability by manipulating the Veeam.Backup.Enterprise.RestAPIService.CEnterpriseRestSessionManagerControllerStub.LogInAfterAuthentication method.
The exploit targets specific conditions within this method to bypass authentication. It involves crafting a malicious SAML assertion and sending it to the vulnerable Veeam service. This assertion tricks the service into validating the token and granting access to the attacker.
The exploit script, written in Python, automates this process and includes a callback server to handle the malicious SAML assertion.
Leave A Comment