Veeam’s Backup & Replication software exposes cleartext credentials via API

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity Level – High: Exploitation will leak credentials giving an attacker access to additional infrastructure.

Veeam’s Backup & Replication (VBR) software runs an exploitable process allowing an attacker to remotely access cleartext credentials. A proof-of-concept (PoC) is available and exploitation is likely. This vulnerability is tracked as CVE-2023-27532 and has a CVSSv3 base score of 7.5.

Impact

An attacker can send an unauthenticated request to a host running the vulnerable process to extract credentials, with which they can potentially gain access to additional infrastructure.

To exploit this vulnerability, two API requests are needed against the process. The first request returns encrypted credentials and the associated account UUIDs. Using the account UUIDs, a second API call can decrypt the credentials into a Base64 string. The API request does not create any child processes and no registry or file system artifacts are left behind. Additionally, a default configuration of VBR does not leave any logs related to the attack. Registry edits are required to log this activity. Please see Containment, Mitigations & Remediations.

Vulnerability Detection

All versions of Veeam Backup and Replication prior to the patched versions listed below:

* 12 (build 12.0.0.1420)
* 11a (build 11.0.1.1261)

Affected Products

All versions of Veeam’s Backup & Replication (VBR) software

Containment, Mitigations & Remediations

Veeam has developed patches for V11 and V12 of the VBR software and are advising customers to update immediately.

Organisations who are not in a position to apply the latest application patches should explore the configuration of additional logging from the Veeam service. Veeam logs are generated in `C:\ProgramData\Veeam\Backup\Svc.VeeamBackup.log`. By default, the Veeam logging does not include API calls. To manually configure this level of logging the following registry entries are recommended to ensure the logging level is sufficient.

By default, the registry value `HKLM\Software\Veeam\Veeam Backup and Replication\LoggingLevel` is set to the value DWORD 4. It is recommended that this registry key is configured to DWORD value 7.

Indicators of Compromise

Within the default configuration of Veeam, no reported indicators of compromise have been reported. Additional levels of logging are required to identify successful exploitation.

Threat Landscape

VBR is a comprehensive data protection and disaster recovery solution. The software allows image-level back-ups of virtual, physical and cloud machines so they can be restored if required. Since this software contains back-ups of an organisation’s entire infrastructure, they are tempting targets. As a result, they are scrutinised thoroughly by attackers and security researchers.
Veeam reports that their VBR software is used by 450,000 organisations worldwide alongside 82% of Fortune 500 companies and 72% of Global 2,000.

Threat Group

CVE-2023-27532 is not attributed to any threat group. However, as exploitation of this vulnerability does not require authentication and proof of concept code is available it is likely that threat actors will begin to utilise this.

Mitre Methodologies

Tactic:

TA0002 – Execution

TA0006 – Credential Access

Further Information

VEEAM Vulnerability disclosure
Horizon3 PoC blog
PoC for CVE-2023-27532
National Vulnerability Database for CVE-2023-27532
Bleeping Computer article