Comprehensive data protection for all workloads
Post Reply
sowardsj
Novice
Posts: 5
Liked: never
Joined: Nov 14, 2017 1:19 pm
Full Name: J Sowards
Contact:

Veeam B&R Certificates and Nessus Scan vulnerability

Post by sowardsj »

Re: Support case ID 03363221

I was asked to route this case to a developer by Veeam Support. We run Tenable Nessus in our company to do vulnerability scans of our systems. During a recent scan of our systems which includes our Veeam B&R server, a medium finding was discovered (https://www.tenable.com/plugins/nessus/121009) on 4 of the 5 Veeam Certificates are issued a 10 year validity date. According to the Tenable article, the CA/Browser forum has passed a resolution that SSL/TLS certificates can no longer be valid over 825 days without triggering this vulnerability.

Is there a plan to address this issue to mitigate this vulnerability.

Thank you.
bdufour
Expert
Posts: 206
Liked: 41 times
Joined: Nov 01, 2017 8:52 pm
Full Name: blake dufour
Contact:

Re: Veeam B&R Certificates and Nessus Scan vulnerability

Post by bdufour »

we run nessus and ive never seen that vulnerability related to veeam certs. are these self signed certs or what? by default, veeam self signed certs are good for a year..
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Veeam B&R Certificates and Nessus Scan vulnerability

Post by Mike Resseler »

Hi sowardsj,

I believe bdufour is right. Can you check which certificates these are? If these are created by Veeam B&R itself I will work with our security team to dive into this. But I would need to know which certificates and how they were created first

Thanks
Mike
sowardsj
Novice
Posts: 5
Liked: never
Joined: Nov 14, 2017 1:19 pm
Full Name: J Sowards
Contact:

Re: Veeam B&R Certificates and Nessus Scan vulnerability

Post by sowardsj »

2 self signed SSL certificates with a 10 year validity date - friendly name "Veeam Self-Signed Certificate"
1 self signed SSL certificate with a 10 year validity date - friendly name "Veeam Mount Service Certificate"
1 self signed SSL certificate with a 10 year validity date - friendly name "Veeam Backup Server Certificate"
1 self signed SSL certificate with a 1 year validity date - friendly name "Veeam Backup Server Certificate"

These certificates would have been created by Veeam. They were not created by our internal CA.
sowardsj
Novice
Posts: 5
Liked: never
Joined: Nov 14, 2017 1:19 pm
Full Name: J Sowards
Contact:

Re: Veeam B&R Certificates and Nessus Scan vulnerability

Post by sowardsj »

Please reference URL https://www.tenable.com/plugins/nessus/121009 which describes this vulnerability.
The article was published by Tenable on 2019/01/08 and modified 2019/01/18 so this is a recent update.
Gostev
Chief Product Officer
Posts: 31457
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam B&R Certificates and Nessus Scan vulnerability

Post by Gostev »

Yes, these are "default" self-generated certificates. Have you considered generating or using your own certificate instead?
Post Reply

Who is online

Users browsing this forum: No registered users and 117 guests