Veeam has patched a high-severity vulnerability in its Veeam Backup & Replication product. Assigned with CVE-2023-27532, the vulnerability may allow an unauthenticated attacker to execute arbitrary code remotely.
The proof-of-concept (PoC) for this vulnerability is publicly available. Markus Wulftange, a security researcher at CODE WHITE GmbH, has published the PoC.
CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested its users to patch it before September 12, 2023.
Veeam Backup & Replication is one of the industry-leading backup, recovery, and data security solutions for all workloads, both on-premises and in the cloud. The software provides secure, robust, and reliable data protection. With a software-defined, hardware-independent solution, the software can eliminate downtime with instant recovery, protect from cyber threats with native immutability, and use validated backups.
The advisory states, “The vulnerable process, Veeam.Backup.Service.exe (which listens on TCP port 9401 by default), allows an unauthenticated user to request encrypted credentials.”
On successful exploitation, the vulnerability may allow an unauthenticated user operating inside the backup infrastructure network perimeter to get encrypted credentials stored in the configuration database.
Exploitation is accomplished by querying the local API, which is, by default, served on the vulnerable port 9401, and listening on all interfaces (0.0.0.0).
The API is specifically implemented in the Veeam Backup & Replication server. Once an attacker has configured a client to communicate with the API at the vulnerable port, credential extraction is easy. Credentials are initially encrypted; however, a second API call can simply decrypt them into their original plaintext value. The exploitation is possible without child processes, filesystem, or registry artifacts.
The analysis of the vulnerable port 9401 and the call to CreateService reveals the presence of a private constructor for CRemoteInvokeServiceHolder that uses ServiceHost, NetTcpBinding, and AddServiceEndpoint services. This proves that the app is hosting a Windows Communication Foundation (WCF) service, which is responsible for exposing the IRemoteInvokeService interface to the client.
The NetTcpBinding service uses a binary protocol built on TCP for WCF-to-WCF communication. This makes it challenging to write a custom WCF binary parser. An attacker must construct a WCF Client using the .NET core to avoid this.
Exploiting the vulnerability (Credential Extraction)
An attacker can invoke the CredentialsDbScopeGetAllCreds endpoint that contains binary large objects (BLOB) with the credential information. The implementation of this endpoint shows that the blob is a serialized C# object created by Veeam’s custom CProxyBinaryFormatter.
An attacker must parse the information out of the binary blob to read the usernames and passwords. For that purpose, the CredentialsDbScopeFindCredentials endpoint is used that gives one credential at a time, making it easy to read the binary blob data.
To patch the vulnerability, customers must upgrade to the Veeam Backup and Replication build versions 11a (build 126.96.36.1991 P20230227) and 12 (build 188.8.131.520 P20230223).
Please refer to the Veeam Security Advisory (kb4424) for more information.
Qualys customers can scan their devices with QID 378062 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.