CVE-2020-10914
published 2020-04-22CVE-2020-10914: This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Authentication is not required to…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
47.03%
98.7th percentile
This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Authentication is not required to exploit this vulnerability. The specific flaw exists within the PerformHandshake method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-10400.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| veeam | one | — | — |
| veeam | one_agent | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Authentication is not required to exploit this vulnerability — monitor for unauthenticated inbound connections to the Veeam ONE Agent service port. ↗
- →Exploit triggers a deliberate handshake failure to cause the agent to deserialize attacker-controlled data — look for anomalous or malformed handshake traffic to the Veeam ONE Agent listener. ↗
- →Target the HandshakeResult() method in network traffic inspection — exploitation occurs specifically through this code path in the Veeam ONE Agent. ↗
- →Execution occurs in the context of the Veeam ONE Agent service account — monitor for unexpected child processes or lateral movement originating from the Veeam ONE Agent service process. ↗
- ·Patched versions are 9.5.5.4587 (release line 9) and 10.0.1.750 (release line 10) — detections should account for both vulnerable release lines. ↗
- ·Veeam continued distributing version 10.0.0.750 post-disclosure but with the patch pre-applied — version number alone is insufficient to confirm vulnerability; patch application must be verified. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/157529/Veeam-ONE-Agent-.NET-Deserialization.htmlhttps://www.veeam.com/kb3144https://www.zerodayinitiative.com/advisories/ZDI-20-545/http://packetstormsecurity.com/files/157529/Veeam-ONE-Agent-.NET-Deserialization.htmlhttps://www.veeam.com/kb3144https://www.zerodayinitiative.com/advisories/ZDI-20-545/
2020-04-22
Published