Maintain control of your Microsoft Office 365 data
Post Reply
Posts: 45
Liked: 14 times
Joined: Jan 03, 2017 5:25 pm

Possible security bug: Veeam Explorer, javascript, and errors

Post by stvajnkf » Nov 20, 2018 6:06 pm 1 person likes this post

I asked someone at Veeam about this during a phone call today and they said I should post this on the forum instead of speaking to someone privately.

1) Open Veeam Explorer
2) Expand a mailbox and select a folder
3) Double click an email that includes an HTML link (in my case, the email included an embedded image in the email signature with an invisible "a href" link that points to our website's homepage)
4) Click on the link
5) Notice an error pops up. The error box looks like an old Internet Explorer style error. It says "Script Error" in the title. The body says a lot of stuff including "An error has occurred in the script on this page" and "Do you want to continue running scripts on this page?" and the "URL" parameter refers to a "script src" link in our webpage's HTML that connects to our Google Analytics javascript. This implies that Veeam is actually executing the scripts and running into a script error.
6) Click Yes twice on the errors to make them go away
7) Notice that Veeam Explorer then loads new content into the email preview window, replacing the old content. In my case, it loaded the entire live homepage of our website; images, text, and all. It's acting just like a web browser. I can click links on our website to browse other pages, all inside Veeam Explorer.

I would imagine this could be a security vulnerability because a bad guy could send millions of emails that embed or link to malicious scripts, and if Veeam tries to execute those scripts, it could lead to remote root access to the server. Or a more targeted attack could involve someone sending a single malicious email to their mailbox, waiting for it to be backed up, then asking their IT department to restore it from backup and tricking them into previewing the email and running the script on the server.

A second layer to this vulnerability is the fact that Veeam Explorer runs as an Elevated process for some reason, which seems risky for a program that also parses and runs random scripts. Not only are scripts run Elevated, any attachments are also opened Elevated. For example, double click an attachment in one of the emails, and you'll see in Task Manager's "Elevated" column that the resulting process that handles that file type is running Elevated.

I'd guess that a good solution is for any links inside emails to be disabled, the HTML renderer should be super limited in functionality so it cannot load anything malicious from HTML-formatted emails, and the Explorer process should run as a limited user instead of Elevated. If possible, just extract the plaintext from the emails and preview that instead of using any Internet Explorer plugin.

If not a security issue, it's at least unwanted behavior for the email preview window to follow links.

Mike Resseler
Product Manager
Posts: 6028
Liked: 693 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium

Re: Possible security bug: Veeam Explorer, javascript, and errors

Post by Mike Resseler » Nov 20, 2018 6:16 pm

Hey stvajnkf,

I am going to investigate this as soon as possible so I can't give you a definitive answer yet. Give me some time to run this through our QC departments and see what comes up

Thanks for letting us know!

Veeam Software
Posts: 1196
Liked: 200 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva

Re: Possible security bug: Veeam Explorer, javascript, and errors

Post by Polina » Dec 28, 2018 2:07 pm

To share an important update with the community:

A hotfix is now available for Veeam Backup & Replication version, Veeam Backup for Microsoft Office version 365 1.5.1309 and Veeam Backup for Microsoft Office 365 version 2.0.x. For more details pleas see the Security Advisory article KB 2847.

Post Reply

Who is online

Users browsing this forum: dhnz and 2 guests