Security Concern

[mgratla]

Browsing seclist today and I came accross an interesting post regarding Veeam and a security vulnerability

http://seclists.org/fulldisclosure/2015/Oct/44

If I am reading this correctly, the Veeam Proxy software stores the local/domain admin account and password in its local (client being backed up) log files. The password a simple double base64 encrypted string. The log file is readable by Everyone, including local users all the way down to guest accounts.

Log locations
Windows Server 2003: %allusersprofile%\Application Data\Veeam\Backup
Windows Server 2008 and up: %programdata%\Veeam\Backup

This could mean that any server backed up using Veeam Proxy could contain the information, or it may just be located on the Veeam Proxy servers themselves.

Excerpt:

“The vulnerability allows a local Windows user, even with low privileges
as the ones provided to an anonymous IIS's virtualhost user, to access
Veeam Backup logfiles that include a double-base64 encoded version of
the password used by Veeam to run.

The affected component is VeeamVixProxy, created by default on
installation and the user must be a privileged Local Administrator or
a Domain Administrator.

For example the wizard for adding a VMware or Hyper-V Backup Proxy
explicitly state "Type in an account with local administrator privileges
on the server you are adding. Use DOMAIN\USER format for domain
accounts, or HOST\USER for local accounts.".

We conservatively refer to this issue as a Local Administrator Privilege
Escalation but the use of Domain Administrator accounts is not
discouraged, if not advised, and we saw this pattern in our customers
production infrastructures.


Has anyone dealt with this? Does veeam have any follow up on this at all?

[alanbolte]

You may have missed this portion of the article:

Update: on 8 October 2015 Veeam B&R 8.0 Update 3 has been released and
the vendor states it fixes the vulnerability. You are strongly advised
to update to the latest version.

[mgratla]

You're right, I did, but I'm interested in any additional advice someone may have to further protect ourselves

[dellock6]

The discussion about the choice between local or domain accounts is a long one, but I can give you few pros and cons of each.
Actually, the usage of a centralized authentication system like AD improves security in the meaning that the user database is not stored locally in the given machine that can be hacked, but by itself it's not more secure. The password can be cracked regardless the user is a local or a central one. Worse, if I loose a domain account, this one has access to different systems, while a local account has only access to the server where is created.
On the other side, a centralized management allows to securely manage accounts, as I can update, change password, and most of all disable users, without the risk of forgetting to operate on some remote machine that is not well documented.
Last but not least, a local user account is not affected by any issue arising in the Active Directory itself. What if I loose my only domain controller, and the only way to restore it is to go through Veeam, but I cannot do it since the domain is (again) lost?

With these and other concepts, choosing between local or domain is about what priority you give to different aspects of the design.