CVE-2024-29852 - High-Privileged Log Exposure in Veeam Backup Enterprise Manager

---

Veeam Backup Enterprise Manager is a popular solution for managing and monitoring Veeam Backup & Replication environments. In 2024, a new vulnerability—CVE-2024-29852—was identified, affecting certain versions of this software. This post explains what the issue is, how it can be exploited, and how to keep your systems safe. All the information here is carefully compiled to make it easier for IT admins and security professionals to understand.

What is CVE-2024-29852?

CVE-2024-29852 is a security flaw found in Veeam Backup Enterprise Manager. It allows users with high-level privileges to access backup session logs that may contain sensitive information.

Normally, system logs help admins track what’s happening on their servers. However, these backup session logs sometimes store details (such as backup jobs, IP addresses, error details, and potential internal identifiers) that shouldn’t be easily visible, even to some high-privileged users, depending on the organization’s security policy.

Summary of Issue:
High-privileged users (like Veeam admins, or delegated roles with certain rights) can browse and read backup session logs directly through the web interface or potentially via APIs. This access exposes more information than necessary for their role.

Exposure to backup session logs can create several risks

- Sensitive Information Leakage: Logs may include sensitive file paths, server names, network structure, or even data remnants in error messages or job status descriptions.
- Further Exploitation: With detailed knowledge about your backup routines, attackers with admin access gain a roadmap to your infrastructure—making privilege escalation and lateral movement easier.
- Audit Evasion: Logs might inadvertently contain information useful for hiding malicious activity if an attacker deletes or alters logs after accessing them.

How Does The Exploit Work?

The vulnerability requires high-level access. An attacker must already have admin or similar privileges in your Veeam system. Here’s a simplified walkthrough:

1. Login: They log in to the Veeam Backup Enterprise Manager web interface or use an authenticated API call.

Browse to ‘History’ or ‘Sessions’: They navigate to the backup job or session history.

3. View Logs: They open the detailed session logs, viewing paths, error messages, potentially file-level details, and internal system information.

Example: Viewing Logs Through Web Interface

1. Go to 'History' tab.
2. Click on 'Sessions.'
3. Select a session from the list.
4. Click ‘View Log’ to see detailed output.

An admin can see something like

Task "Backup Job – DatabaseServer"
  2024-03-12 10:15:32 Job started by DOMAIN\adminuser from 10.20.30.40
  2024-03-12 10:16:02 Processing C:\SensitiveFiles\HR\HR_backup.vbk
  2024-03-12 10:19:44 Error: Access denied to C:\SensitiveFiles\CEO\Private.xlsx
  2024-03-12 10:19:54 Job completed with warning

Notice how this includes file paths and possibly sensitive documents, even if the backup failed.

Code Snippet: Using the REST API

You can also pull session logs directly using the Veeam REST API. Here’s a simplified example in Python:

import requests

# Authenticate and get your session token first
headers = {
    "X-RestSvcSessionId": "your-session-token-here"
}

# Replace with your actual Veeam Enterprise Manager host & session ID
url = 'https://veeam-em-server:9443/api/sessions/{session_id}/logs';

response = requests.get(url, headers=headers, verify=False)
if response.status_code == 200:
    print(response.text) # Will print log details to console
else:
    print('Failed to fetch logs: ', response.status_code)

Any user with the right token (an admin or delegated role) can pull session logs and potentially mine sensitive info.

Who is Vulnerable?

- Veeam Backup Enterprise Manager deployments where multiple admins or delegated operators have access.

Environments where log data is not appropriately limited or reviewed.

- Versions released before Veeam’s fix.

Update:

Veeam published patches to address CVE-2024-29852. Check Veeam KB4556 for your version and install updates immediately.

Review User Privileges:

Limit the number of users with administrative or delegated rights. Apply the principle of least privilege.

Official References and Further Reading

- Veeam Security Advisory: CVE-2024-29852
- CVE Official Page – CVE-2024-29852
- Veeam Backup Enterprise Manager Documentation

Final Thoughts

While CVE-2024-29852 doesn’t let outsiders in, it provides high-privileged users with more internal information than they might need. In a complex organization or in case of credential compromise, this can be a stepping stone for bigger problems. Always keep your systems up-to-date, enforce minimal privileges, and regularly check your logs—both for what’s in them, and who’s looking at them.

Stay secure!

*This article is exclusive and written for clear understanding. For more technical details, always refer to official vendor updates.*

Timeline

Published on: 05/22/2024 23:15:09 UTC
Last modified on: 07/03/2024 01:52:49 UTC