Veeam Backup & Replication RCE flaw may soon be leveraged by ransomware gangs (CVE-2024-40711)
CVE-2024-40711, a critical vulnerability affecting Veeam Backup & Replication (VBR), could soon be exploited by attackers to steal enterprise data.
Discovered and reported by Code WHite researcher Florian Hauser, the vulnerability can be leveraged for full system takeover, and security researchers from watchTowr Labs have already confirmed its potential for exploitation.
Luckily for enterprises using VBR, both companies have refrained from sharing PoC exploit code or additional details about the flaw until most admins have had a chance to implement the fix Veeam provided last week.
About CVE-2024-40711
Veeam Backup & Replication is a popular enterprise solution for backing up, replicating and and restoring backups of virtual environments, physical machines and cloud-based workloads.
Ransomware groups have previously exploited vulnerabilities (e.g., CVE-2023-27532) in VBR to gain access to organizations’ backup infrastructure.
CVE-2024-40711 is an unspecified vulnerability affecting VBR version 12.1.2.172 and all earlier versions.
“CVE-2024-40711 could allow an attacker to gain full control of a system, manipulate data, and potentially move laterally within a network, making it a relatively high-value target for threat actors,” Censys researchers noted on Friday.
They also pinpointed 2,833 internet-facing Veeam Backup & Replication servers exposed on the Internet, mostly concentrated in Germany and France – but how many of those are vulnerable is unknown.
Fix is available
Veeam has fixed CVE-2024-40711 and five other less critical flaws affecting VBR on Thursday, and has urged admins to update to Veeam Backup & Replication 12.2 (build 12.2.0.334). The company did not mention possible workarounds for any of them.
Simultaneously, the company issued fixes for a variety of vulnerabilities in:
- Veeam Agent for Linux
- Veeam ONE (monitoring and analytics solution for IT workloads)
- Veeam Backup for Nutanix AHV and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization, and
- Veeam Service Provider Console (a solution for managing data backup operations, used by MSPs and enterprises).
UPDATE (September 10, 2024, 06:05 a.m. ET):
WatchTowr Labs’ researcher Sina Kheirkhan has shared their analysis where they compared the latest few VBR versions provided by Veeam.
They reckon that CVE-2024-40711 is comprised of two separate components: an improper authorization bug and a deserialisation bug, and that Veeam has fixed the first one in VBR 12.1.2.172 (released in late May) and has delivered a patch for the deserialisation bug last week, with VBR 12.2.0.334.
They have also seemingly found that the later patch does not fix CVE-2024-40711 completely, but says that they will explain their finding at a later date, since details are still under embargo. They have also refrained from publishing exploit code, because they are worried about the bug being very valuable to ransomware operators.
“There’s no point deploying cryptolocker malware on a target unless you can also deny access to backups, and so, this class of attackers absolutely loves to break this particular software,” Kheirkhan noted.
“Veeam Backup & Replication has a large deployment footprint,” says Rapid7, and thinks it likely that one or more of the patched VBR vulnerabilities may end up being used to facilitate extortion attacks.
“More than 20% of Rapid7 incident response cases in 2024 so far have involved Veeam being accessed or exploited in some manner, typically once an adversary has already established a foothold in the target environment,” the company noted.
UPDATE (October 1, 2024, 04:45 a.m. ET):
A PoC exploit for CVE-2024-40711 has been released by WatchTowr Labs two weeks ago.