A proof-of-concept (PoC) exploit code for a Veeam Backup Enterprise Manager authentication bypass flaw CVE-2024-29849 is publicly available.

Researcher Sina Kheirkha analyzed the Veeam Backup Enterprise Manager authentication bypass flaw CVE-2024-29849 and a proof of concept exploit for this issue.

The flaw CVE-2024-29849 is a critical vulnerability (CVSS score: 9.8) in Veeam Backup Enterprise Manager that could allow attackers to bypass authentication.

Veeam Backup Enterprise Manager is a centralized management and reporting tool designed to simplify the administration of Veeam Backup & Replication environments. It offers a web-based interface that allows users to manage multiple Veeam Backup & Replication servers, monitor backup jobs, and generate reports.

“This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.” reads the advisory published by the vendor.

The vulnerability was addressed with the release of version 12.1.2.172. The company also provided the following mitigation:

• This vulnerability can be mitigated by halting the Veeam Backup Enterprise Manager software.
  To do this, stop and disable the following services:
  • VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager)
  • VeeamRESTSvc (Veeam RESTful API Service)
    _{Note: Do not stop the ‘Veeam Backup Server RESTful API Service’.}
• Veeam Backup Enterprise Manager is compatible with managing Veeam Backup & Replication servers running an older version than Veeam Backup Enterprise Manager. Therefore, if the Veeam Backup Enterprise Manager software is installed on a dedicated server, Veeam Backup Enterprise Manager can be upgraded to version 12.1.2.172 without the need to upgrade Veeam Backup & Replication immediately.
• Veeam Backup Enterprise Manager can be uninstalled if it is not in use.

Administrators are urged to apply the latest security updates as soon as possible due to the availability of the PoC.

Kheirkha explained that the issue resides in the ‘Veeam.Backup.Enterprise.RestAPIService.exe’ service (vVeeamRESTSvc ), which is installed during the setup of the Veeam enterprise manager software.

“When I started to analyze this vulnerability, first I was kind of disappointed on how little information veeam provided, just saying the authentication can be bypassed and not much more, however, just knowing it’s something to do with Authentication and the mitigation suggesting the issue has something to do with the either “VeeamEnterpriseManagerSvc” or “VeeamRESTSvc” services, I began my patch diffing routine and realized the entry point, I’ll introduce VeeamRESTSvc also known as Veeam.Backup.Enterprise.RestAPIService.exe” reads the post published by the researcher.

The service listens on port TCP/9398 and operated as a REST API server, which is basically an API version of the main web application that listens on port TCP/9443

The exploit targets Veeam’s API by sending a specially crafted VMware single-sign-on (SSO) token to a vulnerable service. The expert used a token impersonating an administrator and used an SSO service URL that Veeam failed to verify. The token is initially base64-encoded, then decoded into XML and validated through a SOAP request to an attacker-controlled URL. Then a server under the control of the attack responds positively to the validation, granting the attacker administrator access.

To detect exploitation attempts, the researcher recommends to analyze the following log file:

C:\ProgramData\Veeam\Backup\Svc.VeeamRestAPI.log

searching for Validating Single Sign-On token. Service enpoint URL: 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PoC exploit)

The Japanese video-sharing platform, Niconico, was forced to suspend its services following a cybersecurity incident.

The Japanese video-sharing platform, Niconico, temporarily suspended its services following a large-scale cyberattack on June 8, 2024.

“Due to the effects of a large-scale cyber attack, Niconico has been unavailable since early morning on June 8th” reads the incident notice published by the company. “We sincerely apologize for the inconvenience.”

In response to the incident, the company temporarily suspended Niconico Family Services such as Niconico Video, Niconico Live Broadcast, Niconico Channel, etc. The company also suspended the Niconico Account login on external services.

“Beginning in the early hours of Saturday, June 8th, an issue occurred that prevented access to multiple servers in our group. In response to this incident, we immediately shut down the relevant servers to protect the data. Based on the scope of our internal analysis and investigation that was conducted on the same day, we have determined that there is a high possibility that we were the victim of a cyber attack.” reads a statement from the company.

The video-sharing platform also canceled/postponed programs scheduled from June 10th to June 16th.

The company is investigating the security incident with the help of law enforcement and external experts to determine the full extent of the damage.

The company has yet to determine if threat actors have stolen any information from its systems.

The Japanese firm did not reveal the type of cyberattack it suffered; however, the problems it is facing and the incident response procedure adopted suggest it was the victim of a ransomware attack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cyber attack)

The UK NHS issued an urgent call for O-type blood donations following the recent ransomware attack that hit several London hospitals.

The UK National Health Service (NHS) issued an urgent call for O-type blood donations due to the recent ransomware attack on Synnovis that disrupted operations at several healthcare organizations in London.

In early June, a ransomware attack on pathology and diagnostic services provider Synnovis severely impacted the operations at several major NHS hospitals in London. The attack forced the impacted hospitals to cancel some healthcare procedures, in some cases, patients were redirected to other hospitals.

Synnovis is a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, and SYNLAB, Europe’s largest provider of medical testing and diagnostics.

In a post published on its website, Synnovis disclosed it was the victim of a ransomware attack.

“On Monday 3 June, Synnovis – a partnership between two London-based hospital Trusts and SYNLAB – was the victim of a ransomware cyberattack. This has affected all Synnovis IT systems, resulting in interruptions to many of our pathology services.” reads the statement published by the company. “Regrettably this is affecting patients, with some activity already cancelled or redirected to other providers as urgent work is prioritised.”

Synnovis has yet to release a new update and hasn’t provided any information on the scope of the attack.

Law enforcement suspects that Qilin extortion gang is behind the attack.

The NHS London published a statement on Synnovis ransomware attack confirming that the incident is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London.

“On Monday 3 June Synnovis, a provider of lab services, was the victim of a ransomware cyber attack. This is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London and we apologise for the inconvenience this is causing to patients and their families.” reads the statement published by NHS London.

“All urgent and emergency services remain open as usual and the majority of outpatient services continue to operate as normal.” continues the NHS. “Unfortunately, some operations and procedures which rely more heavily on pathology services have been postponed, and blood testing is being prioritised for the most urgent cases, meaning some patients have had phlebotomy appointments cancelled.”

The NHS confirmed that the ransomware attack has disrupted blood matching tests, for this reason, affected hospitals are using O Negative and O Positive blood for patients who can’t wait for alternative matching methods. For this reason, the NHS is calling for O-type blood donations.

“England’s top doctor has today (Monday 10 June) backed calls from NHS Blood and Transplant (NHSBT) for O Positive and O Negative blood donors to urgently book appointments to donate in one of the 25 town and city centre NHS Blood Donor Centres in England, to boost stocks of O type blood following the cyber incident in London.” reads the announcement published by the NHS Blood and Transplant.

“The IT incident affecting a pathology provider means the affected hospitals cannot currently match patients’ blood at the same frequency as usual. For surgeries and procedures requiring blood to take place, hospitals need to use O type blood as this is safe to use for all patients and blood has a shelf life of 35 days, so stocks need to be continually replenished. That means more units of these types of blood than usual will be required over the coming weeks to support the wider efforts of frontline staff to keep services running safely for local patients.”

O Negative blood is a universal blood type, anyone can receive it, for this reason, it is crucial in emergencies or when a patient’s blood type is unknown. Despite only 8% of the population having O Negative, it accounts for about 15% of hospital orders. O Positive, the most common blood type, can be given to anyone with a positive blood type, benefiting 76% of the population. 35% of blood donors have O Positive blood.

“To support London hospitals to carry out more surgeries and to provide the best care we can for all patients, we need more O Negative and O Positive donors than usual. Please book an urgent appointment to give blood at one of our 25 town and city donor centres which currently have good appointment availability.

“We have availability for donors who know they are type O but we also welcome new donors who don’t yet know their blood type. You might have one of these special types that can be used in emergencies.”

“To support London hospitals to carry out more surgeries and to provide the best care we can for all patients, we need more O Negative and O Positive donors than usual. Please book an urgent appointment to give blood at one of our 25 town and city donor centres which currently have good appointment availability.” said Dr Gail Miflin, Chief Medical Officer, NHS Blood and Transplant. “We have availability for donors who know they are type O but we also welcome new donors who don’t yet know their blood type. You might have one of these special types that can be used in emergencies.””

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, London hospitals)