CVE-2024-38650
📋 TL;DR
This authentication bypass vulnerability allows low-privileged attackers to access NTLM hashes of service accounts on VSPC servers. Attackers could use these hashes for pass-the-hash attacks or credential theft. Organizations running affected Veeam VSPC versions are impacted.
💻 Affected Systems
- Veeam Service Provider Console
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of VSPC server leading to lateral movement across the network, domain escalation, and potential ransomware deployment.
Likely Case
Service account credential theft enabling unauthorized access to backup infrastructure and potential data exfiltration.
If Mitigated
Limited to isolated VSPC server compromise if proper network segmentation and privileged account management are implemented.
🎯 Exploit Status
Requires authenticated low-privilege access but exploitation is straightforward once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.0.0.2621
Vendor Advisory: https://www.veeam.com/kb4649
Restart Required: Yes
Instructions:
1. Download VSPC 8.0.0.2621 from Veeam website. 2. Backup current configuration. 3. Run installer with administrative privileges. 4. Restart VSPC services as prompted.
🔧 Temporary Workarounds
Network Segmentation
allIsolate VSPC server from general network access and restrict to backup administrators only.
Privileged Account Management
allImplement Just-In-Time access and monitor service account usage.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach VSPC server
- Enable detailed logging and monitoring for unusual authentication attempts or hash extraction activities
🔍 How to Verify
Check if Vulnerable:
Check VSPC version in web interface or via PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Veeam Service Provider Console*'}Check Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Veeam Service Provider Console*'} | Select-Object Name, VersionVerify Fix Applied:
Confirm version is 8.0.0.2621 or higher using same command and verify no authentication bypass attempts in logs.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns
- Multiple failed login attempts followed by successful low-privilege access
- Unexpected service account hash retrieval
Network Indicators:
- Unusual outbound connections from VSPC server
- SMB/NTLM traffic patterns indicative of pass-the-hash
SIEM Query:
source="veeam_vspc" AND (event_type="authentication" AND result="success" AND user_privilege="low") OR (event_type="credential_access" AND method="hash_extraction")