https://vulnerability.circl.lu/comment/feed 2024-09-19T01:50:56.785024+00:00 Vulnerability Lookup info@circl.lu python-feedgen Contains only the most 10 recent comments. https://vulnerability.circl.lu/comment/4e36fb63-ef06-4e9d-8f57-7b76aebf7bde 2024-09-19T01:50:56.789322+00:00 - https://censys.com/cve-2024-40711/ - https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/ ~~~ Well, that was a complex vulnerability, requiring a lot of code-reading! We’ve successfully shown how multiple bugs can be chained together to gain RCE in a variety of versions of Veeam Backup & Replication. We’re a little confused by Veeam’s advisory, however, which seems to be contradictory. As you may recall from the very start of the blogpost, Veeam’s advice was that versions up to and including 12.1.2.172 are vulnerable. While the title of the bug states that “A vulnerability allowing unauthenticated remote code execution (RCE)“, suggesting a world-ending CVSS 10 bug, they then proceed to label the bug as a less-serious CVSS 9.8, requiring user authentication before exploitation is possible. This is confusing, because all versions beneath 12.1.2.172 don’t require authentication to exploit, and only a change made in 12.1.2.172 made it so authentication was required (see above analysis). Perhaps Veeam simply made an error in their advisory, as we (and Code White) clearly demonstrate that authentication is not required. Hopefully, a pre-emptive change wasn’t made in 12.1.2.172 to downgrade the eventual severity of this vulnerability. Regardless of CVSS, the actual situation, as you can see above, is somewhat more nuanced than ‘RCE before 12.1.2.172': Version Status 12.2.0.334 Fully patched. Not affected by the vulnerabilities in this blogpost. 12.1.2.172 Affected, but exploitation requires authentication. Low privilege users are able to execute arbitrary code. 12.1.1.56 and earlier Vulnerable to unauthenticated RCE. Speaking of exploitation, we’re breaking with tradition on this bug by not releasing a full exploit chain (sorry, folks!). We’re a little worried by just how valuable this bug is to malware operators, and so are (on this occasion only) refraining from dropping a working exploit. The most we’re going to drop is this tantalizing video of exploitation, which will have to tide you over until our next post: ~~~ 2024-09-10T06:14:51.710700+00:00