DROWN SSL status Veeam 9

[mpasaa]

Does anyone have any information on Veeam 9 (latest build) and whether all of the recent SSL vulnerabilities such as DROWN have been addressed? I've got a security team saying our Veeam server is vulnerable but I've even added the requisite SSL regkeys to explicitly disable both SSL 2 & 3 AND the only thing running on this server is Veeam. Nothing complicated. If anyone can send me links to documents stating this app is not vulnerable I can forward that info on to these security guys and get on with life thanks....

[foggy]

Hi Mike, here's a quote from the three months old Veeam Community Digest by Anton:

Another major OpenSSL vulnerability known as DROWN attack was discovered last week, and it is said to affect one third of all HTTPS web sites on the internet. The actual issue sits in SSL v2 protocol, and it allows attacker to expose private RSA keys, thus enabling them to break TLS. Addressing the vulnerability should be the highest priority since it looks very easy to exploit, for example it took researchers under 8 hours to do this using Amazon EC2 at a cost of $440 (what a nice tool for hackers this). You can test your web-site using the web-based test tool. Veeam web site has been promptly patched last week, while our products are not affected (hail Windows, hail Secure Channel).

[mpasaa]

Thanks for the info. I am not concerned with Veeam's website as much as I was with their application which is what our security teams scan all the time. The last line of the excerpt answers my question...their apps are not affected and is all I need to know...awesome! if they still see a vulnerability after confirming this app is OK and all Windows regkeys explicitly disabling both SSL 2 & 3 THEN their security tools are the problem. Cool.thx

[mpasaa]

I just made a GPO change to address this Microsoft Security Advisory 3009008 and also added the SSL 2.0 & 3.0 registry keys to my Veeam server to disable both and now I see this error on all of my jobs. Either Veeam doesn't like the local registry key or the GPO

Failed to create processing task for VM <name removed>Error: Provider load failure
Error: The remote procedure call was cancelled RPC function call failed. Function name: [DoRpc]. Target machine: [IP removed]. The remote procedure call was cancelled RPC function call failed. Function name: [DoRpc]. Target machine: [IP removed].

Local regkey change is this and I've done this on other servers and Veeam has never had an issue backing them up so I am thinking Veeam has an issue with its own registry key set to this OR the GPO from the above ADVISORY is now causing issues with all backups.

Disable SSL 3.0 in Windows
For Server Software
You can disable support for the SSL 3.0 protocol on Windows by following these steps:
1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
2. In Registry Editor, locate the following registry key:
Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New ‐> Key option from the
Edit menu.
3. On the Edit menu, click Add Value.
4. In the Data Type list, click DWORD.
5. In the Value Name box, type Enabled, and then click OK.
Note If this value is present, double‐click the value to edit its current value.
6. In the Edit DWORD ﴾32‐bit﴿ Value dialog box, type 0 .
7. Click OK. Restart the computer.

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
3.0\Server

[skrause]

Did you reboot the Veeam server after applying the GPO? schannel changes require a system reboot to take effect.

[mpasaa]

Rebooted several times already. I just removed the SERVER regkeys from the Microsoft advisory and rebooted and was able to run a manual backup on a previously failed server. I am letting our backups run for a couple of days to see if that's all I needed to do OR if this GPO is the culprit. Clearly, blocking/disabling ssl via these keys appears to break Veeam on some level. Not sure if forcing it to use TLS connections or something else is the issue.