- Posts: 45
- Liked: 13 times
- Joined: Jan 03, 2017 5:25 pm
1) Open Veeam Explorer
2) Expand a mailbox and select a folder
3) Double click an email that includes an HTML link (in my case, the email included an embedded image in the email signature with an invisible "a href" link that points to our website's homepage)
4) Click on the link
6) Click Yes twice on the errors to make them go away
7) Notice that Veeam Explorer then loads new content into the email preview window, replacing the old content. In my case, it loaded the entire live homepage of our website; images, text, and all. It's acting just like a web browser. I can click links on our website to browse other pages, all inside Veeam Explorer.
I would imagine this could be a security vulnerability because a bad guy could send millions of emails that embed or link to malicious scripts, and if Veeam tries to execute those scripts, it could lead to remote root access to the server. Or a more targeted attack could involve someone sending a single malicious email to their mailbox, waiting for it to be backed up, then asking their IT department to restore it from backup and tricking them into previewing the email and running the script on the server.
A second layer to this vulnerability is the fact that Veeam Explorer runs as an Elevated process for some reason, which seems risky for a program that also parses and runs random scripts. Not only are scripts run Elevated, any attachments are also opened Elevated. For example, double click an attachment in one of the emails, and you'll see in Task Manager's "Elevated" column that the resulting process that handles that file type is running Elevated.
I'd guess that a good solution is for any links inside emails to be disabled, the HTML renderer should be super limited in functionality so it cannot load anything malicious from HTML-formatted emails, and the Explorer process should run as a limited user instead of Elevated. If possible, just extract the plaintext from the emails and preview that instead of using any Internet Explorer plugin.
If not a security issue, it's at least unwanted behavior for the email preview window to follow links.
- Product Manager
- Posts: 5749
- Liked: 613 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
I am going to investigate this as soon as possible so I can't give you a definitive answer yet. Give me some time to run this through our QC departments and see what comes up
Thanks for letting us know!
- Veeam Software
- Posts: 892
- Liked: 141 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
A hotfix is now available for Veeam Backup & Replication version 184.108.40.2062, Veeam Backup for Microsoft Office version 365 1.5.1309 and Veeam Backup for Microsoft Office 365 version 2.0.x. For more details pleas see the Security Advisory article KB 2847.
Users browsing this forum: No registered users and 3 guests