FOCUS FRIDAY: Addressing the Veeam SPC and Cacti Vulnerabilities: A TPRM Approach
Written by: Ferdi Gül
Welcome to this week’s Focus Friday, where we delve into critical vulnerabilities that are reshaping Third-Party Risk Management (TPRM) practices. Today, we spotlight two high-profile issues: the Veeam Service Provider Console and Cacti incidents. Our discussion will not only cover the specifics of these incidents but also illustrate how Black Kite’s FocusTags™ can drive proactive risk management strategies.
CVE-2024-29212 in Veeam SPC: A TPRM Perspective
What is the CVE-2024-29212 vulnerability?
CVE-2024-29212 is a critical vulnerability impacting the Veeam Service Provider Console (VSPC). The vulnerability comes from the VSPC server using an unsafe deserialization method during communication with its management agent and other components. Deserialization, which converts a serialized object (data stream) back into its original form, can be exploited if not properly validated. Malicious actors can inject arbitrary code into the data stream. When the VSPC server deserializes this tampered data, it executes the injected code without knowing, granting attackers unauthorized access to the system.
Technical Details
A Flaw in Data Handling Opens the Door for Attacks
The way Veeam Service Provider Console (VSPC) processes incoming data creates a security hole. The vulnerability known as ‘unsafe deserialization’ allows attackers to potentially take control of the system remotely. Imagine a malicious actor slipping in unwanted code through a gap in communication. That’s essentially what could happen if this flaw is exploited. With a critical severity rating (CVSSv3 score of 9.9 according to HackerOne score), a successful attack could disrupt critical backup and disaster recovery processes. This could leave organizations vulnerable to data loss and system outages during a crisis.
The exploitation mechanism of this vulnerability centers on unsafe deserialization. The root cause lies in the way VSPC deserializes data received during communication between the management agent and its components. This flawed process can lead to unintended code execution. The attack vector for this vulnerability is particularly concerning because it can potentially be exploited remotely, allowing attackers to execute arbitrary code from a distance. With a CVSSv3 score of 9.9 (Critical), as indicated by the Veeam security advisory, a successful exploit could allow malicious code execution on the VSPC server. Exploiting this vulnerability could seriously disrupt the backup and disaster recovery processes. This means that if an organization experiences data loss or system outages, their ability to recover could be significantly hindered.
The provider announced that this vulnerability doesn’t impact other Veeam products, such as Veeam Backup & Replication, Veeam Agent for Microsoft Windows, or Veeam ONE. Service providers utilizing Veeam Service Provider Console versions 7 and 8 are advised to update to the latest cumulative patch. For those on unsupported versions, upgrading to the latest version of Veeam Service Provider Console is strongly recommended.
What is the scope of CVE-2024-29212?
This vulnerability specifically impacts the Veeam Service Provider Console (VSPC) versions 4.0, 5.0, 6.0, 7.0, and 8.0.
While there haven’t been any confirmed instances of CVE-2024-29212 being exploited in real-world scenarios, the advisory stresses the importance of promptly patching this vulnerability. Veeam’s platforms have drawn the attention of cybercriminal groups like Cuba ransomware and the notorious FIN7. These groups have a history of exploiting similar vulnerabilities to conduct data encryption and extortion schemes.
Timeline for CVE-2024-29212:
May 7, 2024 (Tuesday)
- Vulnerability has started to be shared as an announcement on some websites.
- The vulnerability was publicly disclosed on the Veeam Support Knowledge Base.
May 8, 2024 (Wednesday)
- The vulnerability was modified on the Veeam Support Knowledge Base.
- The vulnerability was analyzed and the FocusTagTM processing was completed by Black Kite’s Research Team.
May 14, 2024 (Tuesday)The vulnerability was publicly disclosed (published) on NVD (National Vulnerability Database) and assigned the CVE-ID CVE-2024-29212.
TPRM Implications
Third-party risk management (TPRM) teams should prioritize addressing the critical vulnerability CVE-2024-29212. This flaw in VSPC, a software program used by managed service providers (MSPs) for backup and disaster recovery, exposes systems to remote code execution (RCE) attacks. A successful exploit could disrupt an organization’s ability to recover from data loss or outages during a crisis.
TPRM professionals should take the following steps to mitigate risks associated with CVE-2024-29212:
- Conduct an inventory assessment to identify and verify all instances of Veeam Service Provider Console (VSPC) within your organization’s network, with particular focus on those managed by third-party vendors.
- Engage proactively with your MSPs to ensure they are informed about CVE-2024-29212 and have a patching plan in place for affected VSPC instances.
- Increase system monitoring to detect any indications of suspicious activity or unauthorized access attempts, with a focus on VSPC servers.
TPRM experts can significantly reduce the risk associated with CVE-2024-29212 and safeguard critical backup and disaster recovery operations by implementing these measures.
Engaging with Vendors Regarding CVE-2024-29212
Third-party risk management (TPRM) teams should prioritize addressing the critical vulnerability CVE-2024-29212. This flaw in VSPC, a software program used by managed service providers (MSPs) for backup and disaster recovery, exposes systems to remote code execution (RCE) attacks. A successful exploit could disrupt an organization’s ability to recover from data loss or outages during a crisis.
TPRM professionals should take the following steps to mitigate risks associated with CVE-2024-29212:
- Conduct an inventory assessment to identify and verify all instances of Veeam Service Provider Console (VSPC) within your organization’s network, with particular focus on those managed by third-party vendors.
- Engage proactively with your MSPs to ensure they are informed about CVE-2024-29212 and have a patching plan in place for affected VSPC instances.
- Increase system monitoring to detect any indications of suspicious activity or unauthorized access attempts, with a focus on VSPC servers.
TPRM experts can significantly reduce the risk associated with CVE-2024-29212 and safeguard critical backup and disaster recovery operations by implementing these measures.
How can vendors detect and remediate CVE-2024-29212?
Veeam has released some patches to address this critical security vulnerability. Here are some proactive measures vendors can take:
- Prioritize Patch Application: Upgrade VSPC to the latest versions available: For 7.x, install build 7.0.0.18899; for 8.x, install build 8.0.0.19236. Closely monitor Veeam’s security updates and prioritize applying the patch for next vulnerabilities as soon as it’s released.
- Restrict VSPC Server Access: Minimize the attack surface by restricting access to the VSPC server. This can be achieved by limiting access to trusted IP addresses only.
- Monitor Network Activity: Implement advanced network monitoring tools to identify anomalous traffic patterns that might signal exploitation attempts targeting CVE-2024-29212.
- Secure Backups: Maintain regular backups of VSPC configuration files. Ensure these backups are stored securely and not accessible from the VSPC server itself. This will allow for faster recovery in case of a successful exploit.
Mitigating Vendor Risk of CVE-2024-29212 with Black Kite’s FocusTags™
On May 8, 2024, a critical vulnerability identified as CVE-2024-29212 was disclosed on the Black Kite platform. It’s essential for organizations to prioritize robust security practices as a reminder. Considering the importance of VSPC in data backup and recovery during emergencies, it’s crucial not to leave this critical infrastructure vulnerable.
CVE-2024-25641 in Cacti: A TPRM Perspective
What is the CVE-2024-25641 vulnerability?
As Black Kite Focus Friday readers may recall, we previously wrote an article in January with a focus on the “Cacti SQLi” tag. Following the vulnerability CVE-2023-51448, this week we conducted a focus tag operation on the critical CVE-2024-25641 vulnerability, ensuring that our customers are informed about this issue in advance. The CVSS score for this vulnerability is identified as 9.1.
Cacti, a popular open-source network monitoring tool, has a critical vulnerability that could allow attackers to seize control of your system. This means hackers could potentially see everything your Cacti monitors, steal data, or even launch attacks from your machine!
Additionally, we recommend reviewing the vulnerability identified as CVE-2024-29895, which was published on May 15, 2024 in the NVD, regarding the Command Injection vulnerability found in Cacti’s 1.3.x-dev version. Although the existence of endpoints specifically for this version is not clearly visible from the outside, if you are using this critical vulnerable version, we advise updating to the version where the fix has been applied.
Technical Details
The issue lies in how Cacti handles data imports. Imagine a backdoor snuck into your house through a package delivery.In this case, the “package” is an XML file used by Cacti, and the “backdoor” is malicious code hidden within it. Because Cacti trusts this data too much, the code can be written to your system and potentially run as if it were supposed to be there.
Anyone with permission to import templates in Cacti (which could include some administrators) is at risk.
To truly understand how this vulnerability works, let’s take a closer look at it alongside a proof of concept (POC).
Source of the vulnerability:
The vulnerability is located in the import_package() function within the /lib/import.php script. The function is vulnerable to path traversal attacks because it blindly trusts the filename and file content from XML data. This can be exploited to write or overwrite files on the web server, leading to the execution of arbitrary PHP code.
Some attackers can attempt to exploit the vulnerability by following these steps. Considering these steps can help you devise strategies to protect your organization specifically:
- Generate Malicious Package XML: The attacker creates a PHP script to generate a malicious XML file containing PHP code to be executed on the target server.
- Create XML Signature: Using OpenSSL, the attacker generates signatures for the PHP code and the XML data.
- Upload Malicious Package: With a user account having the necessary permissions, the attacker uploads the malicious XML file through Cacti’s “Import/Export” feature.
- Exploit Execution: Cacti’s vulnerable function blindly trusts the XML data and writes the attacker’s PHP code to the server’s file system.
- Impact: The attacker’s PHP code becomes accessible on the web server, allowing for the execution of arbitrary PHP code and potential further compromise.
How many endpoints can be accessed through Cacti?
Recent research suggests that nearly 5,000 endpoints could be potentially accessed externally through Cacti. It’s important to consider that this number might not include endpoints that solely rely on other access methods offered by Cacti.
Timeline for Cacti Vulnerability:
May 12, 2024 (Sunday)
- The vulnerability was shared in Cacti’s security advisory on GitHub.
May 13, 2024 (Monday)
- The vulnerability was analyzed and the FocusTagTM processing was completed by Black Kite’s Research Team.
- ThePublished first article mentioning CVE-2024-25641 was published.
May 14, 2024 (Tuesday) The vulnerability is publicly published on NVD and assigned the CVE-ID CVE-2024-25641.
TPRM Implications
Third-Party Risk Management (TPRM) professionals should prioritize addressing the critical vulnerability CVE-2024-25641. This flaw in Cacti versions prior to 1.2.27 allows attackers to potentially execute malicious code remotely on vulnerable systems. Effective TPRM practices are crucial to safeguard your organization from such downstream risks.
Here’s what TPRM professionals can do to mitigate risks associated with CVE-2024-25641:
- Identify all systems using Cacti and verify they are updated to version 1.2.27 or later.
- Isolate any vulnerable systems until they can be patched.
- Think of WAFs as security guards for your Cacti server; they prevent unauthorized uploads of malicious code, ensuring your system remains secure.
- IDS are vigilant guards constantly scanning your network. If they see something suspicious happening, they’ll raise the alarm so you can take action.
- Regular vulnerability scanning is like getting a check-up at the doctor. It helps identify weaknesses before they can be exploited. Schedule scans regularly and prioritize fixing any vulnerabilities that are found.
By following these steps, TPRM professionals can effectively mitigate the risks associated with CVE-2024-25641 and safeguard their organization from potential attacks. This proactive approach strengthens your overall cybersecurity posture and ensures a more resilient defense against future vulnerabilities.
Engaging with Vendors
When assessing Cacti response to the CVE-2024-25641 vulnerability, consider posing these questions:
- How does CVE-2024-25641 exploit the “Package Import” feature in Cacti?
- What level of user permission is required to exploit this vulnerability (e.g., administrator, any authenticated user)?
- Can an attacker remotely exploit vulnerability, or does it require local access to the system?
- Are there any logs or indicators of compromise (IOCs) that can be used to detect a potential vulnerability exploit attempt?
- Beyond upgrading to Cacti version 1.2.27, are there any additional steps administrators can take to mitigate the risk of CVE-2024-25641 exploitation (e.g., restricting user permissions)?
- How critical is it to upgrade to Cacti version 1.2.27 to address CVE-2024-25641?
- Is there a specific timeline for deploying the patch for vulnerability in development versions (e.g., Cacti 1.3.x)?
By posing these questions, you can understand the vendor’s efforts to tackle this vulnerability and make informed decisions on mitigating risks to your systems. This proactive approach protects your systems from immediate threats and strengthens your cybersecurity stance against future vulnerabilities.
How can vendors detect and remediate CVE-2024-25641?
There is currently no publicly available information on specific tools or techniques Cacti developers can use to detect CVE-2024-25641 within their codebase. However, users can employ some general code auditing practices:
Remediation:
- Upgrade Immediately: The primary fix is to update Cacti to version 1.2.27 or later, which addresses this vulnerability.
- Restrict Template Imports: Limit “Import Templates” permissions to authorized users only.
- Stay Informed: Keep up-to-date with security advisories from the Cacti team for future vulnerabilities.
Temporary Mitigations (until update):
- If possible, disable Cacti or consider taking it offline until the update is applied.
- Enforce strong passwords and change defaults.
- Implement firewall restrictions to limit network traffic.
For Developers:
- While reviewing the code, we discovered that the vulnerability is in the import_package() function located in /lib/import.php. Pay close attention to parts of the code where user-supplied data is used in filenames or file contents.
General Security Practices:
- Monitor Network Traffic. Keep an eye out for suspicious activity on your network.
Mitigating Vendor Risk of CVE-2024-25641 with Black Kite’s FocusTags™
On May 13, 2024, a critical vulnerability identified as CVE-2024-25641 was disclosed on the Black Kite platform. This highlights the potential risks associated with unpatched Cacti software and underscores the importance of proactive security measures to safeguard critical network infrastructure components.
Enhancing TPRM Capabilities with Black Kite’s FocusTags™
In today’s dynamic cybersecurity landscape, effective Third-Party Risk Management (TPRM) is crucial. Black Kite’s FocusTags™ for Veeam SPC and Cacti specifically address the unique challenges posed by these incidents. Here’s how these tags are critical in managing third-party risks:
- Immediate Threat Identification: Rapidly pinpoints vendors affected by the Veeam SPC or the Cacti vulnerabilities, enabling swift mitigation actions.
- Risk Prioritization: Assists in categorizing vendor risks, focusing on those with the highest exposure due to these specific incidents.
- Strategic Vendor Interactions: Facilitates detailed discussions with vendors about their exposure to the Veeam SPC or the Cacti vulnerability, ensuring they understand the risks and mitigation strategies.
- Comprehensive Security Enhancement: Provides insights into the cascading impacts of the VSPC and the Cacti, helping to bolster overall security posture and resilience.
With these FocusTags™, Black Kite translates intricate threat data into actionable intelligence, empowering TPRM professionals to proactively manage and mitigate risks associated with specific high-profile incidents.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
About Focus Friday
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
FocusTagsTM in the Last 30 Days:
- Cacti: CVE-2024-25641, Remote Code Execution Vulnerability in Cacti
- Veeam SPC: CVE-2024-29212, Remote Code Execution Vulnerability in Veeam Service Provider Console
- TinyProxy: CVE-2023-49606, Use-After-Free Vulnerability, RCE Vulnerability in Tinyproxy
- ArubaOS: CVE-2024-26304, Buffer Overflow Vulnerability, Remote Code Execution Vulnerability in ArubaOS
- CrushFTP VFS: CVE-2024-4040, a Server Side Template Injection Vulnerability in CrushFTP
- Sisense Client
- FortiClient EMS: CVE-2023-48788, SQL Injection Vulnerability in Fortinet’s FortiClient Endpoint Management Server
- FortiOS SSL VPN: CVE-2024-21762, A Out-of-Bounds Write Vulnerability in FortiOS [Tag updated]
- Outlook RCE: CVE-2023-36439, RCE Vulnerability in Microsoft Exchange Server
- Change Healthcare Client
- JetBrains TeamCity: CVE-2023-42793, Authentication Bypass in JetBrains TeamCity CI/CD Servers; CVE-2024-27198, Authentication Bypass Vulnerability [Tag Updated]
- ScreenConnect:CVE-2024-1709, Authentication Bypass Vulnerability
- Cisco ASA [Suspected]CVE-2020-3259, Information Disclosure Vulnerability
- Exchange Server:CVE-2024-21410,Privilege Elevation Vulnerability
- QNAP QTS:CVE-2023-47218, CVE-2023-50358, OS Command Injection Vulnerability
- Symantec MG [Suspected]:CVE-2024-23615, CVE-2024-23614, Buffer Overflow Vulnerability (Remote Code Execution)
- FortiOS SSL VPN [Suspected]:CVE-2024-22024, An Out-of-Bounds Write Vulnerability
- RoundCube [Suspected] :CVE-2023-43770, Stored-XSS Vulnerability [Updated]
- Citrix ADC/Gateway:CVE-2023-6549 [Updated], Buffer Overflow Vulnerability
- Ivanti EPMM:CVE-2023-35082 [Updated], Authentication Bypass Vulnerability
- GoAnywhere [Suspected]:CVE-2024-0204, Authentication Bypass Vulnerability
- Redis RCE: CVE-2023-41056, Remote Code Execution Vulnerability
- Ivanti ICS: CVE-2024-21887, Command Injection Vulnerability, CVE-2023-46805, Authentication Bypass Vulnerability
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-29212
https://nvd.nist.gov/vuln/detail/CVE-2024-25641
https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88
https://karmainsecurity.com/KIS-2024-04
https://thehackernews.com/2024/05/critical-flaws-in-cacti-framework-could.html