-
- Service Provider
- Posts: 881
- Liked: 164 times
- Joined: Aug 26, 2013 7:46 am
- Full Name: Bastiaan van Haastrecht
- Location: The Netherlands
- Contact:
Password exposed in Veeam.Archiver.REST logs
Hi,
When using grant_type=password the password of user making the REST API calls is written in the logs. This is a security issue, the password should be masked.
[14.10.2022 10:00:03] 101 (9824) Action completed successfully: Get jobsessions
[14.10.2022 10:00:03] 101 (9824) Request: GET https://<vbo-url>/v6/JobSessions/c5d4971d-b747-4571-a45d-c8d92213a14d/LogItems?limit=1000000&username=<real-user-name>&grant_type=password&password=<the-real-password>
Behavior is the same in normal and extended logging.
Kind regards,
Bastiaan
When using grant_type=password the password of user making the REST API calls is written in the logs. This is a security issue, the password should be masked.
[14.10.2022 10:00:03] 101 (9824) Action completed successfully: Get jobsessions
[14.10.2022 10:00:03] 101 (9824) Request: GET https://<vbo-url>/v6/JobSessions/c5d4971d-b747-4571-a45d-c8d92213a14d/LogItems?limit=1000000&username=<real-user-name>&grant_type=password&password=<the-real-password>
Behavior is the same in normal and extended logging.
Kind regards,
Bastiaan
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
Veeam ProPartner, Service Provider and a proud Veeam Legend
-
- Product Manager
- Posts: 9848
- Liked: 2609 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Password exposed in Veeam.Archiver.REST logs
Hi Bastiaan
May I ask, in which log can you see this calls? Is it the Veeam.Archiver.REST*.log file?
Thanks
Fabian
May I ask, in which log can you see this calls? Is it the Veeam.Archiver.REST*.log file?
Thanks
Fabian
Product Management Analyst @ Veeam Software
-
- Service Provider
- Posts: 881
- Liked: 164 times
- Joined: Aug 26, 2013 7:46 am
- Full Name: Bastiaan van Haastrecht
- Location: The Netherlands
- Contact:
Re: Password exposed in Veeam.Archiver.REST logs
Hi Fabian, yes that's correct.
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
Veeam ProPartner, Service Provider and a proud Veeam Legend
-
- Product Manager
- Posts: 9848
- Liked: 2609 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Password exposed in Veeam.Archiver.REST logs
Hi Bastiian
I checked the logs. I can use only one API call with "grant_type=password".
The endpoint is https://VB365-URL:4443/v6/token to get my access token for all other queries. After I got my access token, the Veeam.Archiver.REST*.log file only shows me a key id, but not the provided password:
I tried to do that in my lab, but only access tokens work. I can't use grant_type=password for any other endpoint.
From which VB365 version is your log file?
Thanks
Fabian
I checked the logs. I can use only one API call with "grant_type=password".
The endpoint is https://VB365-URL:4443/v6/token to get my access token for all other queries. After I got my access token, the Veeam.Archiver.REST*.log file only shows me a key id, but not the provided password:
And my log entries for querying all jobs (https://VB365-URL:4443/v6/Jobs):[14.10.2022 13:30:48] 154 (11204) Authorization started (grant type: UsernamePassword)
[14.10.2022 13:30:48] 154 (11204) Adding new resource (key: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, pool: ArchiverServerSession)...
[14.10.2022 13:30:48] 154 (11204) Authorization succeeded
Your query looks like you are using grant_type=password for querying directly https://<vbo-url>/v6/JobSessions?[14.10.2022 13:43:18] 137 (16444) Request: GET https://VB365-URL:4443/v6/Jobs
[14.10.2022 13:43:18] 137 (16444) Action started: Get jobs (API version: V6)
[14.10.2022 13:43:18] 137 (16444) Action completed successfully: Get jobs
I tried to do that in my lab, but only access tokens work. I can't use grant_type=password for any other endpoint.
From which VB365 version is your log file?
Thanks
Fabian
Product Management Analyst @ Veeam Software
-
- Service Provider
- Posts: 881
- Liked: 164 times
- Joined: Aug 26, 2013 7:46 am
- Full Name: Bastiaan van Haastrecht
- Location: The Netherlands
- Contact:
Re: Password exposed in Veeam.Archiver.REST logs
We are using the latest version, and these logs are from the latest version P20220926.
This is a bigger log snippet:
The authentication request does not reveil the password but the up following resource requests does.
This is a bigger log snippet:
Code: Select all
[14.10.2022 13:40:00] 68 (9920) Authorization started (grant type: UsernamePassword)
[14.10.2022 13:40:00] 68 (9920) Backup server session already exists (user=<domain>\<username> key=fe0aea77-b7ae-435b-a9ad-bdecd76xxxxxx)
[14.10.2022 13:40:00] 68 (9920) Credentials refreshed (key=fe0aea77-b7ae-435b-a9ad-bdecxxxxxx)
[14.10.2022 13:40:00] 68 (9920) Authorization succeeded
[14.10.2022 13:40:00] 68 (9920) Request: GET https://<vbo-url>/v6/Jobs?limit=1000000&username=<domain>%5C<username>&grant_type=password&password=<password>
[14.10.2022 13:40:00] 68 (9920) Action started: Get jobs (API version: V6)
[14.10.2022 13:40:00] 68 (9920) Action completed successfully: Get jobs
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
Veeam ProPartner, Service Provider and a proud Veeam Legend
-
- Service Provider
- Posts: 881
- Liked: 164 times
- Joined: Aug 26, 2013 7:46 am
- Full Name: Bastiaan van Haastrecht
- Location: The Netherlands
- Contact:
Re: Password exposed in Veeam.Archiver.REST logs
Ok, is seems disabling extended logging needs a restart of both "Veeam Backup for Microsoft 365 Service" and "Veeam Backup Proxy for Microsoft 365 Service" service. After disabling extended logging and restart these servers the resource url entry is no longer added to the logs and so no password is logged. So the passwords are only logged with extended logging enabled.
Nevertheless, even with extended logging passwords should never ever be written down in logs.
Nevertheless, even with extended logging passwords should never ever be written down in logs.
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
Veeam ProPartner, Service Provider and a proud Veeam Legend
-
- Product Manager
- Posts: 9848
- Liked: 2609 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Password exposed in Veeam.Archiver.REST logs
Can you maybe share the part of your script, where you access the https://<vbo-url>/v6/Jobs?limit=1000000&username=<domain>%5C<username>&grant_type=password&password=<password> endpoint?
I believe, you have hardcoded these values in each URL you want to query.
Providing &username=<domain>%5C<username>&grant_type=password&password=<password> in this URL is unnecessary. It will not be processed by the VB365 server.
If so, please remove &username=<domain>%5C<username>&grant_type=password&password=<password> from any API calls in your script.
The only call which requires username/password in the request header is the API call to get your access token. In every other API call, username/password is not required. You only have to provide your access token in the request header as noted in our user guide. This is the supported and only secure way to do this API calls.
https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=60
Why it is in our log?
Our log will log any requested URL with any additional values you provide. It doesn't check each value if it's legit or not.
It's similar to a debug log file on a webserver, which shows you the URL the customer has requested. You can see the exact URL's the customer has used to access the webserver.
Here an example. I wrote some garbage at the end of the URL and used CURL to do the API call:
I believe, you have hardcoded these values in each URL you want to query.
Providing &username=<domain>%5C<username>&grant_type=password&password=<password> in this URL is unnecessary. It will not be processed by the VB365 server.
If so, please remove &username=<domain>%5C<username>&grant_type=password&password=<password> from any API calls in your script.
The only call which requires username/password in the request header is the API call to get your access token. In every other API call, username/password is not required. You only have to provide your access token in the request header as noted in our user guide. This is the supported and only secure way to do this API calls.
https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=60
Why it is in our log?
Our log will log any requested URL with any additional values you provide. It doesn't check each value if it's legit or not.
It's similar to a debug log file on a webserver, which shows you the URL the customer has requested. You can see the exact URL's the customer has used to access the webserver.
Here an example. I wrote some garbage at the end of the URL and used CURL to do the API call:
Product Management Analyst @ Veeam Software
-
- Service Provider
- Posts: 881
- Liked: 164 times
- Joined: Aug 26, 2013 7:46 am
- Full Name: Bastiaan van Haastrecht
- Location: The Netherlands
- Contact:
Re: Password exposed in Veeam.Archiver.REST logs
Very interesting, I will look into this and report back. Sorry if I have incorrectly blamed Veeam for this.
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
Veeam ProPartner, Service Provider and a proud Veeam Legend
-
- Product Manager
- Posts: 9848
- Liked: 2609 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Password exposed in Veeam.Archiver.REST logs
No, it's good to notify us about such findings.
Better to discuss it, than ignoring it.
Let me know, if my assumption was correct. If not, probably a support case would be required.
Thanks
Fabian
Better to discuss it, than ignoring it.
Let me know, if my assumption was correct. If not, probably a support case would be required.
Thanks
Fabian
Product Management Analyst @ Veeam Software
-
- Service Provider
- Posts: 881
- Liked: 164 times
- Joined: Aug 26, 2013 7:46 am
- Full Name: Bastiaan van Haastrecht
- Location: The Netherlands
- Contact:
Re: Password exposed in Veeam.Archiver.REST logs
You ware absolutely correct, I was adding the authentication to all subsequent requests. It's added as multipart/form-data which result it being added on the URL as parameters.
I removed the authentication from all subsequent requests and now I no longer see those passwords.
Thanks Fabian!
I removed the authentication from all subsequent requests and now I no longer see those passwords.
Thanks Fabian!
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
Veeam ProPartner, Service Provider and a proud Veeam Legend
-
- Product Manager
- Posts: 9848
- Liked: 2609 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Password exposed in Veeam.Archiver.REST logs
You're welcome. Thanks for the update.
I'm glad that it is resolved.
Thanks
Fabian
I'm glad that it is resolved.
Thanks
Fabian
Product Management Analyst @ Veeam Software
Who is online
Users browsing this forum: No registered users and 5 guests