CVE-2024-29212 - Remote Code Execution in Veeam Service Provider Console via Unsafe Deserialization

CVE-2024-29212 is a critical vulnerability in Veeam Service Provider Console (VSPC) that could allow an attacker to perform Remote Code Execution (RCE) on the VSPC server. The flaw exists due to the use of unsafe de-serialization methods in the communication protocol between VSPC management agents and server components.

This article will break down the basics of this vulnerability, show code snippets illustrating the risk, explain its potential impact, and provide links to original references.

What is Deserialization, and Why is it Dangerous?

Serialization is when an application converts an object into a stream of bytes (to send it over a network or save to disk). Deserialization is turning those bytes back into an object. If an app deserializes data received from untrusted sources without checks, attackers could send dangerous data that gets executed as code.

Where is the Problem in VSPC?

The VSPC server communicates with agents and components using serialized data. A vulnerable method was used for de-serialization, which didn't properly validate or sanitize incoming data. This allowed a crafted network packet to be sent to the server, leading it to run arbitrary code under certain conditions.

Condition: The attacker needs to be able to send data to the VSPC server (e.g., within the same network, or through a compromised agent).

CVE-2024-29212 Exploit Example

Let's suppose the underlying deserialization in VSPC is similar to .NET's BinaryFormatter. A simplified attack in C# might look like:

// Attacker's malicious object
[Serializable]
public class EvilPayload : ISerializable
{
    public EvilPayload(SerializationInfo info, StreamingContext context)
    {
        // Payload runs during deserialization
        System.Diagnostics.Process.Start("powershell.exe", "calc.exe");
    }
    public void GetObjectData(SerializationInfo info, StreamingContext context) { }
}

// Serialize the payload
using (var ms = new MemoryStream())
{
    var formatter = new BinaryFormatter();
    formatter.Serialize(ms, new EvilPayload());
    byte[] payloadBytes = ms.ToArray();
    // Send payloadBytes to VSPC server's vulnerable endpoint
}

> Note: Actual communication with VSPC may involve custom message framing, authentication, etc., but at its core, sending the malicious byte stream triggers the bug.

Impact

- Full server compromise: Attackers can run any code as the VSPC process user, often with high privileges.

Lateral movement: If the server is in a sensitive environment, attackers may pivot.

- Persistence/install malware: As with any RCE.

Remediation

Veeam has released patches and instructions to fix this issue. Update VSPC to the latest version as soon as possible.

References and Further Reading

- Veeam Security Advisory VSA-2024-105
- CVE-2024-29212 at NVD
- OWASP: Deserialization of Untrusted Data
- Public articles on Unsafe .NET deserialization attacks

Conclusion

CVE-2024-29212 is a severe flaw in Veeam's Service Provider Console. Given the ease of exploitation and critical impact, patching is urgent. Unsafe deserialization remains a persistent threat in enterprise software, and attackers will continue to use it as a wedge into high-value infrastructure. Take steps today to update, isolate, and monitor your VSPC deployments!

Timeline

Published on: 05/14/2024 15:15:43 UTC
Last modified on: 05/14/2024 16:13:02 UTC