Hacking

Experts published PoC exploit code for Veeam Backup & Replication bug

Researchers released a PoC exploit code for a high-severity vulnerability in Veeam Backup & Replication (VBR) software.

Veeam recently addressed a high-severity flaw, tracked as CVE-2023-27532, in Veeam Backup and Replication (VBR) software. An unauthenticated user with access to the Veeam backup service (TCP 9401 by default) can exploit the flaw to request cleartext credentials.

A remote attacker can exploit the flaw to access the backup systems of a target organization and execute arbitrary code as ‘SYSTEM.’

“Vulnerability CVE-2023-27532 in a Veeam Backup & Replication component allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database.” reads the advisory published by the vendor. “This may lead to an attacker gaining access to the backup infrastructure hosts.”

The company addressed the flaw with the release of Veeam Backup & Replication build numbers:

The researchers at Horizon3’s Attack Team published technical details for this vulnerability along with a PoC exploit code.

The researchers performed reverse engineering of Veeam’s Backup Service, they focused on the port used by the Veeam backup service.

The researchers discovered that is possible to abuse an unsecured API endpoint to retrieve credentials in plaintext from the VBR configuration database.

“We have examined the vulnerable port, reverse engineered the Veeam Backup Service, and constructed a WCF client using .NET core. We have also shown how to extract credentials from the Veeam database by invoking the CredentialsDbScopeGetAllCreds and CredentialsDbScopeFindCredentials endpoints. Finally, we have released our POC on Github, which is built on .NET core and capable of running on Linux, making it accessible to a wider audience.” reads the analysis published by the experts. “It is important to note that this vulnerability should be taken seriously and patches should be applied as soon as possible to ensure the security of your organization.”

The researchers explained that their work is based on the “great prior research” conducted by researchers from HuntressLabs, @CODE WHITE GmbH, and Y4er_ChaBug.

Veeam Backup & Replication CVE-2023-27532 Response (By HuntressLabs)

Huntress researchers reported that on their install base composed of 2 million devices, they uncovered 7,500 hosts with a vulnerable version of the Veeam Backup & Replication service present.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Backup & Replication)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

2 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

16 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

22 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.