CVE-2024-40713
📋 TL;DR
This vulnerability allows low-privileged users in Veeam Backup & Replication to modify Multi-Factor Authentication settings and bypass MFA protection. It affects organizations using Veeam Backup & Replication with role-based access control. Attackers with basic user access could disable MFA requirements for their accounts.
💻 Affected Systems
- Veeam Backup & Replication
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with low-privileged access disables MFA for their account, then uses stolen credentials to gain administrative access to the backup infrastructure, potentially compromising all backup data and recovery capabilities.
Likely Case
Malicious insider or compromised low-privileged account disables MFA, then escalates privileges to access sensitive backup data or disrupt backup operations.
If Mitigated
With proper network segmentation and monitoring, unauthorized MFA changes are detected and blocked before privilege escalation occurs.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has low-privileged credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version specified in Veeam KB4649
Vendor Advisory: https://www.veeam.com/kb4649
Restart Required: Yes
Instructions:
1. Download the patch from Veeam KB4649. 2. Apply the patch to all Veeam Backup & Replication servers. 3. Restart Veeam services. 4. Verify MFA settings integrity.
🔧 Temporary Workarounds
Restrict MFA Configuration Access
windowsTemporarily restrict access to MFA configuration settings to only administrators until patching.
Use Veeam console to modify role permissions and remove MFA configuration rights from low-privileged roles
🧯 If You Can't Patch
- Implement strict monitoring of MFA configuration changes and alert on any modifications
- Enforce network segmentation to isolate Veeam management interfaces from general user networks
🔍 How to Verify
Check if Vulnerable:
Check Veeam Backup & Replication version against the patched version in KB4649. Review role permissions to see if low-privileged roles have MFA configuration rights.Check Version:
In Veeam Backup & Replication console: Help > About, or check installed programs in Windows Control PanelVerify Fix Applied:
After patching, verify that low-privileged roles cannot modify MFA settings. Test with a low-privileged account attempting to change MFA configuration.📡 Detection & Monitoring
Log Indicators:
- Unusual MFA configuration changes
- Authentication events from low-privileged accounts followed by MFA changes
- Failed MFA configuration attempts from unauthorized roles
Network Indicators:
- Unusual API calls to MFA configuration endpoints from non-admin accounts
SIEM Query:
source="veeam" AND (event_type="mfa_config_change" OR event_type="authentication_setting_modify") AND user_role!="administrator"