Back to overview

Threat intelligence

Insecure Deserialization in Veeam Backup and Replication: CVE-2024-40711

by Security News

Overview

The SonicWall Capture Labs threat research team became aware of an insecure deserialization vulnerability in Veeam Backup & Replication, assessed its impact and developed mitigation measures. Veeam Backup & Replication is a proprietary backup app developed by Veeam for virtual environments built on VMware vSphere, Nutanix AHV and Microsoft Hyper-V hypervisors.

Identified as CVE-2024-40711, Veeam Backup & Replication versions before 12.1.2.172 allow a threat actor to achieve unauthenticated remote code execution using an underlying insecure deserialization vulnerability, earning a critical CVSS score of 9.8. Considering a publicly available proof of concept (PoC) code exists for this vulnerability and the popularity of Veeam among threat actors, exploitation is more likely in the next several months.  Considering the crucial role of the Veeam Backup & Replication in the infrastructure of an organization, users are strongly encouraged to upgrade their instances to the latest applicable fixed version, as mentioned by the vendor in the advisory.

Technical Overview

This vulnerability arises due to a flaw in how the application handles the deserialization process. TThe addition of the class type ‘System.Runtime.Remoting.ObjRef’ in the list of blacklist, as seen in Figure 1 (which is also a popular .NET deserialization gadget) indicates that the attack is likely to be accomplished using this malicious class.

Figure 1: Addition of class type in blacklist

The deserialization occurs in the ProcessMessage function in the Veeam.Common.Remoting.CBinaryServerFormatterSink class, which implements the custom .NET remoting server. The ProcessMessage function handles the processing of the .NET remoting packet and the code snippet which handles the deserialization process as shown in Figure 2.

Figure 2: ProcessMessage function

Although Veeam has enforced several defenses against such deserialization attacks, it is unable to consider all possible code paths that could ultimately allow untrusted serialized data to be sent to the ProcessMessage function.

A serializable class uses a whitelist from the file ‘Veeam.Backup.Common.Sources.System.IO.BinaryFormatter.whitelist.txt’ to filter the allowed .NET class types in the serialization process. However, the static function ‘CProxyBinaryFormatter.Deserialize’ from Veeam.Backup.Core switches from whitelist to blacklist mode while deserialization processes, as seen in Figure 3.

Figure 3: CProxyBinaryFormatter.Deserialize function

Since the blacklist provided by unpatched Veeam doesn’t include the malicious ObjRef gadget ‘System.Runtime.Remoting.ObjRef’, it allows remote code execution by leveraging a class that has been whitelisted, such as CDbCryptoKeyInfo, and nesting one BinaryFormatter inside another. The outer deserialization satisfies .NET Remoting constraints, while the inner layer decodes and deserializes a payload using the exploitable ObjRef gadget. Using this technique, an attacker can obtain SYSTEM-level privileges.

Triggering the Vulnerability

Leveraging the vulnerability mentioned above requires the attacker to meet the below prerequisites.

  • The attacker must have network access to the target vulnerable system.
  • The attacker must host the crafted SOAP wrapper payload on the HTTP server, and the server must be within reach of the victim machine.
  • The serialized payload using CDbCryptoKeyInfoWrapper class must be sent to Backup.MountService, running on port 6170 by default.

Exploitation

The exploitation of this vulnerability yields the remote threat actor the ability to execute arbitrary code on the server as a SYSTEM. It has a high impact on the confidentiality, integrity and availability of the system and does not require user interaction.

We leveraged the publicly available Poc to achieve remote code execution on Veeam Backup & Replication version 12.1.1.56. The exploit code hosts the SOAP payload, generated using ysoserial and SoapFormatter, on the http server. Then it sends a payload that is base64encoded and serialized using CDbCryptoKeyInfoWrapper class to the URI PermanentSessionService on port 6170, which triggers the insecure deserialization and requests the hosted SOAP payload, as seen in Figure 4. It leads to the execution of the defined underlying command calc.exe by Veeam.Backup.MountService.

Figure 4: POC video

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 4511 SoapFormatter Malformed Response
  • IPS: 4512 SoapFormatter Malformed Response 2

Remediation Recommendations

The users of Veeam Backup & Replication are strongly encouraged to upgrade their instances to the latest version, as mentioned in the vendor advisory.

Relevant Links

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.