CVE-2024-38650 Overview
CVE-2024-38650 is a critical authentication bypass vulnerability affecting Veeam Service Provider Console (VSPC). This vulnerability allows a low-privileged attacker to bypass authentication mechanisms and access the NTLM hash of the service account running on the VSPC server. Successful exploitation could enable attackers to perform pass-the-hash attacks, potentially leading to complete compromise of the affected system and lateral movement within the network.
Critical Impact
Low-privileged attackers can extract NTLM hashes of service accounts, enabling credential theft, privilege escalation, and potential full infrastructure compromise through pass-the-hash techniques.
Affected Products
- Veeam Service Provider Console (VSPC)
- Environments utilizing VSPC for backup management
- Systems where VSPC service accounts have elevated privileges
Discovery Timeline
- 2024-09-07 - CVE-2024-38650 published to NVD
- 2024-09-09 - Last updated in NVD database
Technical Details for CVE-2024-38650
Vulnerability Analysis
This authentication bypass vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability exists within the Veeam Service Provider Console's authentication handling mechanisms, where improper access controls allow authenticated low-privileged users to access sensitive credential information they should not have visibility into.
The attack can be initiated remotely over the network and requires only low-level privileges to exploit. The scope is changed, meaning successful exploitation can impact resources beyond the vulnerable component itself. The vulnerability has high impact on confidentiality, integrity, and availability, as obtaining the NTLM hash of a service account can lead to full system compromise.
Root Cause
The root cause of CVE-2024-38650 stems from improper information disclosure controls within the VSPC authentication subsystem. The application fails to adequately restrict access to sensitive service account credential data, specifically NTLM hashes, from low-privileged authenticated users. This represents a fundamental access control failure where authentication checks do not properly validate whether a user should have access to the requested sensitive information.
Attack Vector
The attack vector for this vulnerability is network-based, requiring only low-level authenticated access to the VSPC server. An attacker who has obtained legitimate but low-privileged credentials to the VSPC environment can exploit this vulnerability to access the NTLM hash of the service account.
Once the NTLM hash is obtained, an attacker can perform pass-the-hash attacks to authenticate as the service account without knowing the actual password. This technique allows the attacker to escalate privileges and potentially move laterally across the network, accessing other systems where the service account has permissions. The exploitation does not require user interaction and has low attack complexity, making it particularly dangerous in multi-tenant service provider environments.
Detection Methods for CVE-2024-38650
Indicators of Compromise
- Unusual authentication attempts or access patterns from low-privileged accounts to VSPC administrative interfaces
- Evidence of NTLM relay or pass-the-hash attacks originating from or targeting the VSPC server
- Anomalous service account activity indicating credential misuse
- Unexpected access to service account credential stores or configuration data
Detection Strategies
- Monitor VSPC server logs for authentication anomalies and unauthorized access attempts to sensitive configuration endpoints
- Implement SIEM rules to detect pass-the-hash attack patterns following any VSPC-related authentication events
- Enable Windows Event logging for NTLM authentication events (Event IDs 4624, 4648) on VSPC servers
- Deploy endpoint detection to identify credential dumping tools or techniques targeting service accounts
Monitoring Recommendations
- Configure alerting for any successful authentication using service account credentials from unexpected sources
- Implement network traffic analysis to detect NTLM authentication patterns indicative of credential relay attacks
- Enable audit logging on VSPC and correlate with Active Directory authentication events
- Monitor for lateral movement patterns following any authenticated access to VSPC infrastructure
How to Mitigate CVE-2024-38650
Immediate Actions Required
- Apply the security patch provided by Veeam as documented in Veeam Knowledge Base Article KB4649 immediately
- Review and audit all accounts with access to the VSPC server, removing unnecessary privileges
- Rotate the credentials of service accounts used by VSPC as a precautionary measure
- Implement network segmentation to limit exposure of VSPC servers to only authorized administrators
Patch Information
Veeam has released a security update addressing CVE-2024-38650. Administrators should consult the Veeam Knowledge Base Article KB4649 for specific patch information, affected versions, and upgrade instructions. It is critical to apply this patch as soon as possible given the critical severity rating and the potential for credential theft and privilege escalation.
Workarounds
- Restrict network access to VSPC management interfaces using firewall rules and VPN requirements
- Implement the principle of least privilege for all VSPC user accounts until patching is complete
- Monitor service account usage with enhanced logging and real-time alerting
- Consider temporarily disabling low-privileged user access to VSPC in high-risk environments until the patch is applied
# Configuration example - Restrict VSPC network access (Windows Firewall)
# Block external access to VSPC management port except from trusted IPs
netsh advfirewall firewall add rule name="Block VSPC External" dir=in action=block protocol=tcp localport=1280
netsh advfirewall firewall add rule name="Allow VSPC Trusted" dir=in action=allow protocol=tcp localport=1280 remoteip=10.0.0.0/8
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
