On Saturday, March 18, 2023, Horizon3 researchers released a proof-of-concept (PoC) exploit for CVE-2023-27532, a high-severity missing authentication vulnerability impacting Veeam Backup and Replication (VBR) software. Based on Horizon3’s technical analysis published on March 23rd, the PoC exploit allows a remote unauthenticated threat actor with access to the VBR service to obtain plaintext usernames and passwords. The username and password could then be leveraged to elevate privileges and obtain Remote Code Execution (RCE) on the vulnerable device with the permissions of the compromised user.
Note: Veeam’s security advisory states that successful exploitation of CVE-2023-27532 results in a threat actor obtaining encrypted credentials stored in the configuration database. However, Horizon3’s PoC exploit leverages the CredentialsDbScopeFindCredentials endpoint to take it a step further and eventually extract plaintext usernames and passwords.
CVE-2023-27532 was originally disclosed and patched on Tuesday, March 7, 2023.
At this time, we have not observed active exploitation of CVE-2023-27532. However, with the public release of Horizon3’s PoC exploit and the ease of exploitation, we assess that active exploitation of this vulnerability will almost certainly begin in the near term.
|Product||Affected Versions||Fixed Versions|
|Veeam Backup & Replication and Veeam Backup & Replication Community Edition||
Recommendations for CVE-2023-27532
Recommendation #1: Patch Vulnerable Versions of Veeam Backup and Replication Software
Arctic Wolf strongly recommends patching all Veeam Backup and Replication software, including the community edition, within your environment to prevent successful exploitation.
|Product||Release Information and Patch|
|Veeam Backup and Replication 12||KB4420: Release Information for Veeam Backup & Replication 12 Cumulative Patches|
|Veeam Backup and Replication 11||KB4245: Release Information for Veeam Backup & Replication 11a Cumulative Patches|
Note: Patches must be installed on the Veeam Backup & Replication server. All new deployments of Veeam Backup & Replication versions 12 and 11a installed using the ISO images dated 20230223 (V12) and 20230227 (V11a) or later are not vulnerable.
Recommendation #2: Apply Veeam Provided Workaround
If you are not immediately able to apply the relevant security patches, we strongly recommend leveraging Veeam’s provided workaround; if you use an all-in-one Veeam appliance with no remote backup infrastructure components, block external connections to TCP port 9401 in the backup server firewall until the patch is installed.