CVE-2023-27532: PoC Exploit Released for Veeam Backup and Replication Vulnerability

Share :

On Saturday, March 18, 2023, Horizon3 researchers released a proof-of-concept (PoC) exploit for CVE-2023-27532, a high-severity missing authentication vulnerability impacting Veeam Backup and Replication (VBR) software. Based on Horizon3’s technical analysis published on March 23rd, the PoC exploit allows a remote unauthenticated threat actor with access to the VBR service to obtain plaintext usernames and passwords. The username and password could then be leveraged to elevate privileges and obtain Remote Code Execution (RCE) on the vulnerable device with the permissions of the compromised user.  

Note: Veeam’s security advisory states that successful exploitation of CVE-2023-27532 results in a threat actor obtaining encrypted credentials stored in the configuration database. However, Horizon3’s PoC exploit leverages the CredentialsDbScopeFindCredentials endpoint to take it a step further and eventually extract plaintext usernames and passwords. 

CVE-2023-27532 was originally disclosed and patched on Tuesday, March 7, 2023.  

At this time, we have not observed active exploitation of CVE-2023-27532. However, with the public release of Horizon3’s PoC exploit and the ease of exploitation, we assess that active exploitation of this vulnerability will almost certainly begin in the near term.  

Impacted Products 

Product  Affected Versions  Fixed Versions 
Veeam Backup & Replication and Veeam Backup & Replication Community Edition 
  • All builds of V12 prior to build 12.0.0.1420 P20230223 
  • All builds of V11 prior to build 11.0.1.1261 P20230227 
  • V12 build 12.0.0.1420 P20230223 or newer 
  • V11 build 11.0.1.1261 P20230227 or newer 
  • Veeam has also provided a temporary workaround for customers who are not able to immediately apply the patches. 

Recommendations for CVE-2023-27532

Recommendation #1: Patch Vulnerable Versions of Veeam Backup and Replication Software 

Arctic Wolf strongly recommends patching all Veeam Backup and Replication software, including the community edition, within your environment to prevent successful exploitation. 

Product  Release Information and Patch 
Veeam Backup and Replication 12  KB4420: Release Information for Veeam Backup & Replication 12 Cumulative Patches  
Veeam Backup and Replication 11  KB4245: Release Information for Veeam Backup & Replication 11a Cumulative Patches  

 

Note: Patches must be installed on the Veeam Backup & Replication server. All new deployments of Veeam Backup & Replication versions 12 and 11a installed using the ISO images dated 20230223 (V12) and 20230227 (V11a) or later are not vulnerable. 

Recommendation #2: Apply Veeam Provided Workaround 

If you are not immediately able to apply the relevant security patches, we strongly recommend leveraging Veeam’s provided workaround; if you use an all-in-one Veeam appliance with no remote backup infrastructure components, block external connections to TCP port 9401 in the backup server firewall until the patch is installed. 

References 

Steven Campbell

Steven Campbell

Steven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter