Full Report
Veeam published a CVSS 9.8 score for a complete authentication bypass vulnerability on their product. The author decided to take the time to understand the issue and write it up. Since they only have information from the CVE, they'll have to do some reverse engineering for this. The author goes down the authentication flow to find some weirdness with SSO. In particular, when using VMWare SSO, a SAML XML document is provided. One of the controlled values is the URL to check against. Since an attacker can provide their own SAML server to check again, it's trivial to bypass the authentication! If you can validate yourself, then you can easily exploit this. The core vulnerability is simple - bad input validation on sensitive values. However, this would have required a fairly deep understanding of SAML and the authentication flow to exploit. The author of this post ended up looking for issues in Veeam themselves after this. When doing JWT authentication on the Recovery Orchestrator, it had a hardcoded JWT. Since this is hardcoded, we can sign our own JWTs.
Analysis Summary
# Vulnerability: Veeam Backup Enterprise Manager Authentication Bypass via Malicious SAML Token
## CVE Details
- CVE ID: CVE-2024-29849
- CVSS Score: 9.8 (Critical)
- CWE: CWE-287 (Improper Authentication) - *Inferred based on nature of CVE*
## Affected Systems
- Products: Veeam Backup Enterprise Manager
- Versions: Not explicitly stated in the summary, but affected by the advisory.
- Configurations: Vulnerability is related to the handling of VMware SSO (Single Sign-On) tokens during the login process via the REST API service.
## Vulnerability Description
The vulnerability resides within the `VeeamRESTSvc` (Veeam.Backup.Enterprise.RestAPIService.exe) component which handles authentication requests, specifically when processing VMware SSO tokens. During the login flow (`LogInAfterAuthentication`), the system validates parameters within a SAML XML document provided by the client. An attacker can craft a malicious SAML assertion where a controlled or configurable value, expected to be validated against a specific URL endpoint (related to identity provider checking), can instead be set to an attacker-controlled server URL. If the system proceeds to validate this attacker-controlled URL/SAML structure, it effectively bypasses standard authentication checks, allowing the attacker to log in as any user.
A secondary finding noted by the researcher involved the Recovery Orchestrator component using a hardcoded JWT for JWT authentication, allowing an attacker to sign their own valid tokens, though the primary focus of the write-up is CVE-2024-29849.
## Exploitation
- Status: PoC available (A Python script demonstrating exploitation is described in the provided content).
- Complexity: Medium (Requires understanding of SAML flows, endpoint validation, and the specific REST API structure used by Veeam).
- Attack Vector: Network (Leveraged via the REST API service, assumedly listening on TCP/9398).
## Impact
- Confidentiality: High (Gain access to enterprise UI/API as any user).
- Integrity: High (Potential to perform unauthorized actions as an authenticated user).
- Availability: Medium/High (Depending on subsequent actions taken after unauthorized access).
## Remediation
### Patches
- Specific patch versions are not listed in the summary, but an update should be sought from Veeam that addresses CVE-2024-29849. Refer to the official Veeam advisory (KB4581).
### Workarounds
- No specific workarounds were detailed in the summarized content beyond applying the patch. Restricting access to the REST API service (TCP/9398) might offer temporary mitigation until patching is complete.
## Detection
- **Indicators of Compromise (IoCs):**
- Look for suspicious entries in the log file: `C:\ProgramData\Veeam\Backup\Svc.VeeamRestAPI.log`.
- Specifically, search for log entries containing the string: `Validating Single Sign-On token. Service enpoint URL:` followed by anomalous or external network addresses, indicating an attempt to force validation against a malicious SAML issuer.
- **Detection Methods and Tools:**
- Network monitoring for unusual traffic directed at the Veeam Backup Enterprise Manager REST API port (default TCP/9398) that includes JSON payloads containing a `VMwareSSOToken` field with base64 encoded data.
## References
- [https://github.com/sinsinology/CVE-2024-29849](https://github.com/sinsinology/CVE-2024-29849) (PoC link, defanged)
- [https://www.veeam.com/kb4581](https://www.veeam.com/kb4581) (Official Vendor Advisory link, defanged)