Get in Touch
Indiscriminate, opportunistic targeting.
Severity Level – High: Exploitation will leak credentials giving an attacker access to additional infrastructure.
Veeam’s Backup & Replication (VBR) software runs an exploitable process allowing an attacker to remotely access cleartext credentials. A proof-of-concept (PoC) is available and exploitation is likely. This vulnerability is tracked as CVE-2023-27532 and has a CVSSv3 base score of 7.5.
An attacker can send an unauthenticated request to a host running the vulnerable process to extract credentials, with which they can potentially gain access to additional infrastructure.
To exploit this vulnerability, two API requests are needed against the process. The first request returns encrypted credentials and the associated account UUIDs. Using the account UUIDs, a second API call can decrypt the credentials into a Base64 string. The API request does not create any child processes and no registry or file system artifacts are left behind. Additionally, a default configuration of VBR does not leave any logs related to the attack. Registry edits are required to log this activity. Please see Containment, Mitigations & Remediations.
All versions of Veeam Backup and Replication prior to the patched versions listed below:
* 12 (build 184.108.40.2060)
* 11a (build 220.127.116.111)
All versions of Veeam’s Backup & Replication (VBR) software
Containment, Mitigations & Remediations
Veeam has developed patches for V11 and V12 of the VBR software and are advising customers to update immediately.
Organisations who are not in a position to apply the latest application patches should explore the configuration of additional logging from the Veeam service. Veeam logs are generated in `C:\ProgramData\Veeam\Backup\Svc.VeeamBackup.log`. By default, the Veeam logging does not include API calls. To manually configure this level of logging the following registry entries are recommended to ensure the logging level is sufficient.
By default, the registry value `HKLM\Software\Veeam\Veeam Backup and Replication\LoggingLevel` is set to the value DWORD 4. It is recommended that this registry key is configured to DWORD value 7.
Indicators of Compromise
Within the default configuration of Veeam, no reported indicators of compromise have been reported. Additional levels of logging are required to identify successful exploitation.
VBR is a comprehensive data protection and disaster recovery solution. The software allows image-level back-ups of virtual, physical and cloud machines so they can be restored if required. Since this software contains back-ups of an organisation’s entire infrastructure, they are tempting targets. As a result, they are scrutinised thoroughly by attackers and security researchers.
Veeam reports that their VBR software is used by 450,000 organisations worldwide alongside 82% of Fortune 500 companies and 72% of Global 2,000.
CVE-2023-27532 is not attributed to any threat group. However, as exploitation of this vulnerability does not require authentication and proof of concept code is available it is likely that threat actors will begin to utilise this.
TA0002 – Execution
TA0006 – Credential Access