What is CVE-2024-40711?
CVE-2024-40711 is a critical remote code execution vulnerability affecting Veeam Backup & Replication (VBR) servers, which attackers are actively exploiting in ransomware attacks. The vulnerability allows for authenticated and, in some cases, unauthenticated exploitation, providing attackers with a foothold in targeted environments. At the time of writing, threat actors are actively exploiting this vulnerability to deploy a new ransomware strain called “Frag,” emphasizing the urgent need for organizations to apply patches and enforce security controls on VBR instances. This report provides an in-depth view of the vulnerability’s technical nuances and highlights measures organizations can take to protect against active exploitation.
When Was the Vulnerability Discovered?
CVE-2024-40711 has been originally reported by Code White security researcher Florian Hauser as a deserialization of untrusted data on Veeam VBR servers. watchTowr Labs published a first technical analysis on September 9, delayed releasing a proof-of-concept exploit until September 15, to give practitioners enough time to apply security updates issued by Veeam on September 4.
Armis Centrix™ for Early Warning, added CVE-2024-40711 to the list of known vulnerabilities being exploited in the wild on September 5. This was based on intelligence from numerous honeypot hits starting the day before, September 4, the same day Veeam released their bulletin.
CISA added CVE-2024-40711 to their KEV catalog not until October 17.
The Discovery by Armis Centrix™
The technology that powers Armis Centrix™ for Early Warning identified this vulnerability as exploited before it became widely acknowledged. The proactive approach, including AI-driven intelligence that employed smart honeypots and monitored dark web chatter, showcases the importance of being ahead of threat actor exploitation to prevent attacks before they impact your environment.
Significance CVE-2024-40711:
Vulnerable component: the vulnerability affects a REST API endpoint in Veeam Backup & Replication, specifically related to its administrative functionality. While Veeam has not explicitly stated that unsupported versions are vulnerable, researchers believe they are likely affected as well.
Exploitation scenario: CVE-2024-40711 is a “deserialization of untrusted data” type vulnerability. This means that a malicious actor can inject a specially crafted payload into a data stream that the VBR software processes. When the software deserializes this payload, it can execute arbitrary code on the system. This can be done remotely and, in some cases, without any authentication required.
Impact and blast radius: the impact of CVE-2024-40711 is to be considered severe. A successful exploit could allow a remote attacker to execute arbitrary code on the Veeam server. This could allow the attacker to steal data, install malware, or disrupt operations on VBR customer environments, which include businesses of all sizes, government agencies, and educational institutions.
Value of Timely Awareness: awareness of CVE-2024-40711 is particularly valuable due to its exploitation potential, especially in configurations that do not enforce strong authentication. As ransomware groups exploit this flaw, timely detection and response can prevent full compromise. Early Warnings by Armis ATI added CVE-2024-40711 to the list of known vulnerabilities being exploited in the wild on September 5, the day after Veeam released their bulletin. CISA added CVE-2024-40711 to their KEV catalog not until October 17.
Mitigation and Protection:
Proactive defense and workarounds: applying Veeam’s security patches for CVE-2024-40711 is the most effective mitigation. Additionally, to restrict potential attack vectors further, administrators should enforce strict access controls on Veeam instances, ensuring only trusted IPs can access these servers, apply network segmentation, and implement multi-factor authentication whenever possible.
Continuous monitoring and updates: continuous monitoring for signs of exploitation, including unusual API access patterns and abnormal command execution. Organizations should incorporate vulnerability scanning tools to identify exposed Veeam instances and monitor threat intelligence sources for any updates or IOCs associated with CVE-2024-40711.
Stay vigilant and ensure your systems are up-to-date to defend against evolving cybersecurity threats.
Armis Centrix™ for Early Warning is the proactive cybersecurity solution designed to empower organizations with early warning intelligence to anticipate and mitigate cyber threats effectively. By leveraging AI-driven actionable threat intelligence, Armis Centrix™ provides insights into potential threats, allowing organizations to understand their impact and take preemptive action.
Interested in learning more about Armis Centrix™ for Early Warning? Sign up for a demo today!
References and Resources:
- https://www.bleepingcomputer.com/news/security/critical-veeam-rce-bug-now-used-in-frag-ransomware-attacks
- https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/
- https://news.sophos.com/en-us/2024/11/08/veeam-exploit-seen-used-again-with-a-new-ransomware-frag/
- https://github.com/watchtowrlabs/CVE-2024-40711
- https://www.veeam.com/kb4649