A proof-of-concept (PoC) exploit for a important Veeam Restoration Orchestrator authentication bypass vulnerability tracked as CVE-2024-29855 has been launched, elevating the danger of being exploited in assaults.
The exploit was developed by safety researcher Sina Kheirkha, who additionally printed an in depth put up on his website. The put up showcased that the flaw is virtually extra easy to take advantage of than the seller’s bulletin instructed.
Important authentication bypass
CVE-2024-29855, rated 9.0 as per CVSS v3.1 (“critical”), is an authentication bypass vulnerability impacting Veeam Restoration Orchestrator (VRO) variations 7.0.0.337 and seven.1.0.205 and older.
The flaw permits unauthenticated attackers to log in to the Veeam Restoration Orchestrator internet UI with administrative privileges.
The issue arises from the usage of a hardcoded JSON Internet Token (JWT) secret, which allows attackers to generate legitimate JWT tokens for any consumer, together with directors.
Extra particularly, the JWT secret creates and validates tokens with none randomness or uniqueness in every set up, making it predictable and static sufficient to be exploitable.
Veeam’s safety bulletin suggests upgrading to the patched variations 7.1.0.230 and seven.0.0.379 and in addition describes the circumstances required to take advantage of the flaw. These circumstances embody realizing a sound username and function and focusing on a consumer with an energetic session.
“The attacker must know the exact username and role of an account that has an active VRO UI access token to accomplish the hijack,” reads Veeam’s bulletin.
Nevertheless, as Kheirkha showcases in his write-up, a few of these necessities will be bypassed with little effort, making this vulnerability extra formidable and impactful.
Overcoming necessities
Kheirkha discovered that figuring out the function will be simply overcome as there can solely be 5 roles (DRSiteAdmin, DRPlanAuthor, DRPlanOperator, and SiteSetupOperator).
The exploitation script was designed to iterate between these roles when producing JWT tokens till it finds a match.
Supply: Summoning Group
To discover a username to make use of within the assault, the researcher notes that the SSL certificates, obtained just by connecting to the goal endpoint, sometimes incorporates sufficient clues to derive the area and potential usernames to make use of in a token spraying assault.
“The “realizing the username” problem “type of” can be solved with the following solution: assuming there exists a user named administrator@evilcorp.local, one can find the domain name by looking at the CN field of the SSL certificate, and the username can be sprayed,” explains the researchers on the Summoning Group.
Lastly, in regards to the “active session” requirement, Kheirkha’s PoC script generates and exams JWT tokens over a spread of timestamps to extend the possibilities of hitting an energetic session.
A extra focused and stealthy strategy could be to research consumer exercise occasions. There’s additionally the ‘brute pressure’ strategy, which includes steady makes an attempt till an energetic session token is matched.
Because the exploit for CVE-2024-29855 is now publicly out there, attackers will probably attempt to leverage it towards unpatched techniques, so making use of the out there safety updates as quickly as doable is essential.
