{"uuid": "4e36fb63-ef06-4e9d-8f57-7b76aebf7bde", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "title": "More details about the Veeam vulnerability", "description": "- https://censys.com/cve-2024-40711/\n- https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/\n\n~~~\nWell, that was a complex vulnerability, requiring a lot of code-reading! We\u2019ve successfully shown how multiple bugs can be chained together to gain RCE in a variety of versions of Veeam Backup & Replication.\n\nWe\u2019re a little confused by Veeam\u2019s advisory, however, which seems to be contradictory. As you may recall from the very start of the blogpost, Veeam\u2019s advice was that versions up to and including 12.1.2.172 are vulnerable. While the title of the bug states that \u201cA vulnerability allowing unauthenticated remote code execution (RCE)\u201c, suggesting a world-ending CVSS 10 bug, they then proceed to label the bug as a less-serious CVSS 9.8, requiring user authentication before exploitation is possible. This is confusing, because all versions beneath 12.1.2.172 don\u2019t require authentication to exploit, and only a change made in 12.1.2.172 made it so authentication was required (see above analysis).\n\nPerhaps Veeam simply made an error in their advisory, as we (and Code White) clearly demonstrate that authentication is not required. Hopefully, a pre-emptive change wasn\u2019t made in 12.1.2.172 to downgrade the eventual severity of this vulnerability.\n\nRegardless of CVSS, the actual situation, as you can see above, is somewhat more nuanced than \u2018RCE before 12.1.2.172':\nVersion \tStatus\n12.2.0.334 \tFully patched. Not affected by the vulnerabilities in this blogpost.\n12.1.2.172 \tAffected, but exploitation requires authentication. Low privilege users are able to execute arbitrary code.\n12.1.1.56 and earlier \tVulnerable to unauthenticated RCE.\n\nSpeaking of exploitation, we\u2019re breaking with tradition on this bug by not releasing a full exploit chain (sorry, folks!). We\u2019re a little worried by just how valuable this bug is to malware operators, and so are (on this occasion only) refraining from dropping a working exploit. The most we\u2019re going to drop is this tantalizing video of exploitation, which will have to tide you over until our next post:\n~~~", "description_format": "markdown", "vulnerability": "cve-2024-42024", "creation_timestamp": "2024-09-09T20:48:43.060182+00:00", "timestamp": "2024-09-10T06:14:51.710700+00:00", "related_vulnerabilities": [], "meta": [{"tags": ["vulnerability:exploitability=documented"]}], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}