Veeam and security

[Anders]

I've worked with Veeam since the first versions. I Work as a consultant and see alot of Veeam installations. I've never never hit any security related issues with the software until lately, where I found a security related bug in Veeam. A bug that looks like have existed since at least version 6.5, but with v8 became critical in my eyes.

So I wanted to report the bug to Veeam. I first tried to look on the Veeam web site if Veeam have some kind of "security task force" - Nothing found. So I made a support case with detailed info on the bug. I got met by a Level 1 supporter who did not understand the problem and scope of the problem. After asking for it to be escalated, it finally got to the state "R&D says its a known bug and will be fixed in v9".
(Case 01060568)

The bug affects all customers. (possible only when using VMWare, havent testet with HyperV). I dont want to go into details here in public, as the bug is still not fixed. The bug is not "heartbleed-critical" but could help hackers getting access to (non-veeam) systems alot easier. The bug have a simple "workaround" fix, if you know it exists. If you dont know it exists, it will expose security information about systems it backs up. Right now I fear very few people knows about it.

I was expecting more from Veeam than a personal "Known bug, fixed in a future release". I am (was) expecting to be informed about security related bugs. I trust all my data to Veeam software. How else can I trust Veeam with my very sensitive data if Veeam dont help me secure Veeam installations?

Am I missing something here? Is there a hidden mailing list that sends out information about security related issues in Veeam products? If not, consider this a "feature request"

Thanks for reading,
Anders

[Gostev]

Hi, Anders.

Thanks for your feedback - we will discuss the best way to handle this. It's way more complex topic than you might think from user perspective, because it is considered a bad practice to draw attention to the existence of a security breach until it is fixed in the code > Responsible disclosure. As even merely hinting the product area where the issue occurs gives attackers a huge benefit in pursuing and determining it.

Nevertheless, we will review and determine the best course of actions. There simply has not been a need to establish this process before, as no security related issues were reported (or found internally). Our devs are pretty serious about security and do constant code reviews to ensure there are no holes. This is the reason why you've "never never hit any security related issues with the software", as you noted above. But, of course, it is impossible to catch everything - especially as the product gets more and more functionality. In fact, we had another security issue reported earlier that is fixed in Update 3. So, we truly appreciate any help from our users in finding those.

Rest assured, it is our policy to address any and all reported security issues in the immediate product update.

Thanks again!

[isgroup]

Hi Gostev,

sorry to hijack this thread. Will Case # 00984117 be fixed with Update 3?

Thanks,
Francesco Ongaro
http://www.isgroup.it/

[Gostev]

Hi, yes it is fixed. In my previous post, I am actually talking about this issue you have found

[isgroup]

Great!

If you give me a link to the patch and changelog I'll happily include it in the advisory. Do you want to review the draft before it goes public?

Thanks,
Francesco Ongaro
http://www.isgroup.it/

[Gostev]

We are live > KB2068