Insecure Deserialization in Veeam Backup and Replication: CVE 2024 40711

Overview

The SonicWall Capture Labs threat research team became aware of an insecure deserialization vulnerability in Veeam Backup & Replication, assessed its impact and developed mitigation measures. Veeam Backup & Replication is a proprietary backup app developed by Veeam for virtual environments built on VMware vSphere, Nutanix AHV and Microsoft Hyper-V hypervisors.

Identified as CVE-2024-40711, Veeam Backup & Replication versions before 12.1.2.172 allow a threat actor to achieve unauthenticated remote code execution using an underlying insecure deserialization vulnerability, earning a critical CVSS score of 9.8. Considering a publicly available proof of concept (PoC) code exists for this vulnerability and the popularity of Veeam among threat actors, exploitation is more likely in the next several months. Considering the crucial role of the Veeam Backup & Replication in the infrastructure of an organization, users are strongly encouraged to upgrade their instances to the latest applicable fixed version, as mentioned by the vendor in the advisory.

Technical Overview

This vulnerability arises due to a flaw in how the application handles the deserialization process. TThe addition of the class type 'System.Runtime.Remoting.ObjRef' in the list of blacklist, as seen in Figure 1 (which is also a popular .NET deserialization gadget) indicates that the attack is likely to be accomplished using this malicious class.

[Link]

Figure 1: Addition of class type in blacklist

The deserialization occurs in the ProcessMessage function in the Veeam.Common.Remoting.CBinaryServerFormatterSink class, which implements the custom .NET remoting server. The ProcessMessage function handles the processing of the .NET remoting packet and the code snippet which handles the deserialization process as shown in Figure 2.

[Link]

Figure 2: ProcessMessage function

Although Veeam has enforced several defenses against such deserialization attacks, it is unable to consider all possible code paths that could ultimately allow untrusted serialized data to be sent to the ProcessMessage function.

A serializable class uses a whitelist from the file 'Veeam.Backup.Common.Sources.System.IO.BinaryFormatter.whitelist.txt' to filter the allowed .NET class types in the serialization process. However, the static function 'CProxyBinaryFormatter.Deserialize' from Veeam.Backup.Core switches from whitelist to blacklist mode while deserialization processes, as seen in Figure 3.

[Link]

Figure 3: CProxyBinaryFormatter.Deserialize function

Since the blacklist provided by unpatched Veeam doesn't include the malicious ObjRef gadget 'System.Runtime.Remoting.ObjRef', it allows remote code execution by leveraging a class that has been whitelisted, such as CDbCryptoKeyInfo, and nesting one BinaryFormatter inside another. The outer deserialization satisfies .NET Remoting constraints, while the inner layer decodes and deserializes a payload using the exploitable ObjRef gadget. Using this technique, an attacker can obtain SYSTEM-level privileges.

Triggering the Vulnerability

Leveraging the vulnerability mentioned above requires the attacker to meet the below prerequisites.

• The attacker must have network access to the target vulnerable system.
• The attacker must host the crafted SOAP wrapper payload on the HTTP server, and the server must be within reach of the victim machine.
• The serialized payload using CDbCryptoKeyInfoWrapper class must be sent to Backup.MountService, running on port 6170 by default.

Exploitation

The exploitation of this vulnerability yields the remote threat actor the ability to execute arbitrary code on the server as a SYSTEM. It has a high impact on the confidentiality, integrity and availability of the system and does not require user interaction.

We leveraged the publicly available Poc to achieve remote code execution on Veeam Backup & Replication version 12.1.1.56. The exploit code hosts the SOAP payload, generated using ysoserial and SoapFormatter, on the http server. Then it sends a payload that is base64encoded and serialized using CDbCryptoKeyInfoWrapper class to the URI PermanentSessionService on port 6170, which triggers the insecure deserialization and requests the hosted SOAP payload, as seen in Figure 4. It leads to the execution of the defined underlying command calc.exe by Veeam.Backup.MountService.

Figure 4: POC video

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

• IPS: 4511 SoapFormatter Malformed Response
• IPS: 4512 SoapFormatter Malformed Response 2

Remediation Recommendations

The users of Veeam Backup & Replication are strongly encouraged to upgrade their instances to the latest version, as mentioned in the vendor advisory.

Relevant Links

• Vendor advisory
• https://x.com/codewhitesec/status/1831720125747069389
• Blog by watchTowr Labs
• https://github.com/watchtowrlabs/CVE-2024-40711/tree/main