CVE-2024-29851
📋 TL;DR
This vulnerability in Veeam Backup Enterprise Manager allows authenticated high-privileged users to capture the NTLM hash of the Enterprise Manager service account. This affects organizations using Veeam Backup Enterprise Manager where privileged users could potentially abuse their access. The stolen hash could enable lateral movement or privilege escalation within the environment.
💻 Affected Systems
- Veeam Backup Enterprise Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain the NTLM hash of the service account, enabling pass-the-hash attacks to compromise the entire Veeam infrastructure, potentially leading to backup data theft, ransomware deployment, or complete system takeover.
Likely Case
Malicious insider or compromised privileged account uses the hash to escalate privileges within the Veeam environment, potentially accessing sensitive backup data or modifying backup configurations.
If Mitigated
With proper access controls and monitoring, the impact is limited to detection of hash capture attempts and containment of any compromised accounts.
🎯 Exploit Status
Exploitation requires existing high-privileged access to the Veeam Backup Enterprise Manager interface
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Veeam KB4581 for specific version information
Vendor Advisory: https://veeam.com/kb4581
Restart Required: Yes
Instructions:
1. Review Veeam KB4581 for specific patch details. 2. Apply the security update to all affected Veeam Backup Enterprise Manager installations. 3. Restart the Veeam Backup Enterprise Manager service after patching.
🔧 Temporary Workarounds
Restrict Privileged Access
allLimit the number of users with high-privileged access to Veeam Backup Enterprise Manager to only those who absolutely require it
Implement Monitoring
allEnable detailed logging and monitor for unusual authentication or hash capture attempts
🧯 If You Can't Patch
- Implement strict access controls and principle of least privilege for Veeam Backup Enterprise Manager
- Enable comprehensive logging and monitoring for authentication events and suspicious activities
🔍 How to Verify
Check if Vulnerable:
Check your Veeam Backup Enterprise Manager version against the patched versions listed in KB4581Check Version:
Check Veeam Backup Enterprise Manager version through the web interface or installation directoryVerify Fix Applied:
Verify that the Veeam Backup Enterprise Manager version matches or exceeds the patched version specified in KB4581📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns
- Multiple failed login attempts followed by successful privileged access
- Unexpected service account authentication events
Network Indicators:
- Unusual NTLM authentication traffic from Veeam Backup Enterprise Manager servers
SIEM Query:
source="veeam" AND (event_type="authentication" OR event_type="privileged_access") AND user="service_account"