CVE-2023-27532 – Veeam Backup & Replication Vulnerability Exposes Stored Credentials, No Auth Necessary

Written by Mark Stueck and Scott Emerson of the Kudelski Security Threat Detection & Research Team

CVE-2023-27532: Unauthenticated Access to Cleartext Credentials Possible Through Veeam Backup & Replication Vulnerability

Summary

Veeam Software recently released a security update and patches for a high-severity vulnerability for its Veeam Backup & Replication product. The vulnerability is present in all but the newest version of the Product and is present in the default configuration. The vulnerability, assigned CVE-2023-27532, allows for unauthenticated access to “encrypted” credentials housed in the configuration database. Unfortunately, while the credentials are encrypted in the data store, they are decrypted by the Veeam solution before transmission, meaning they are available in cleartext to an attacker who can successfully abuse this vulnerability.

Veeam Backup & Replication Vulnerability Exposes Stored Credentials, No Auth Necessary

Affected Systems and/or Applications

All versions of Veeam Backup & Replication are impacted except the following of newer deployments built with the following ISOs:

Versions that are NOT impacted

1. 20230223 (V12) or later
2. 20230227 (V11) or later

Configuration for Vulnerability Exposure

All but the latest Veeam Backup & Replication versions are impacted by default. The following conditions are required for vulnerability exposure:

1. Unsupported deployment (V10 or earlier) or unpatched V11/V12
2. Veeam.Backup.Service.exe listening on port TCP/9401 (default)

Technical Details / Attack Overview

CVE-2023-27532 allows an unauthenticated user with network access to the Veeam solution to obtain credentials stored in the configuration database. Information on successful exploitation is currently scarce. However, Markus Wulftange, a Security Researcher with CODE WHITE GmbH has developed a working proof-of-concept that targets the exposed API for the Veeam Backup & Replication Software:

The above output of the PoC shows recovered cleartext credentials. Before transit, the credentials are encrypted and stored in the configuration database. However, during the CCredentials serialization process, the credentials are decrypted and transmitted in cleartext to a potential attacker:

Threat Actor Post Exploitation Activity

Activity related to this CVE has not yet been observed in the wild, but affected parties should expect attempts at exploitation in the coming weeks. Severity and ease of abuse make this an extremely attractive vulnerability to attackers. Any credential managed by Veeam Backup & Replication could be exposed in cleartext, potentially allowing threat actors to escalate their privileges, move laterally, and more effective ransom attempts if an attacker gains access to backup infrastructure hosts.

Solution

(From: https://www.veeam.com/kb4424)
This vulnerability is resolved in the following Veeam Backup & Replication build numbers:

1. 12 (build 12.0.0.1420 P20230223)
2. 11a (build 11.0.1.1261 P20230227)

Notes:

1. This vulnerability affects all recent Veeam Backup & Replication versions.
2. If you use an earlier Veeam Backup & Replication version, please upgrade to a supported version first.
3. If you use an all-in-one Veeam appliance with no remote backup infrastructure components, you can alternatively block external connections to port TCP 9401 in the backup server firewall as a temporary remediation until the patch is installed.
4. The patch must be installed on the Veeam Backup & Replication server. All new deployments of Veeam Backup & Replication versions 12 and 11a installed using the ISO images dated 20230223 (V12) and 20230227 (V11a) or later are not vulnerable.

Temporary Workarounds and Mitigations

Kudelski Security recommends patching as soon as possible. In the meantime, If you use an all-in-one Veeam appliance with no remote backup infrastructure components, you can alternatively block external connections to port TCP 9401 in the backup server firewall as a temporary remediation until the patch is installed.

Detection Guidance

Successful exploitation of CVE-2023-27532 targets Veeam Backup & Replication API functionality. In order to effectively detect suspicious activity related to this vulnerability, logging of API calls requires the logging level of 7 or higher to be set in the following registry key:

HKLM\Software\Veeam\Veeam Backup and Replication

(increased from the default logging level of 4)

Once the logging level for the Veeam Backup and Replication service is set, the VeeamBackup.log contains an artifact of successful exploitation in the following format:

Invoke: scope ‘{0}’, method ‘{1}’

Where {0} and {1} are as-yet-undisclosed values.

Once more details about the exploit are released there may be the possibility to detect via Network Detection and Response (NDR) or Intrusion Detection Systems (IDS) solutions.

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation with CVE-2023-27532 and keep clients apprised as it evolves; please check this bulletin for updates.

Sources

• https://www.helpnetsecurity.com/2023/03/10/cve-2023-27532/
• https://twitter.com/codewhitesec/status/1633948476353519616
• https://twitter.com/mwulftange/status/1634091601944363010
• https://www.veeam.com/kb4424