Password exposed in Veeam.Archiver.REST logs

[b.vanhaastrecht]

Hi,

When using grant_type=password the password of user making the REST API calls is written in the logs. This is a security issue, the password should be masked.

[14.10.2022 10:00:03] 101 (9824) Action completed successfully: Get jobsessions
[14.10.2022 10:00:03] 101 (9824) Request: GET https://<vbo-url>/v6/JobSessions/c5d4971d-b747-4571-a45d-c8d92213a14d/LogItems?limit=1000000&username=<real-user-name>&grant_type=password&password=<the-real-password>

Behavior is the same in normal and extended logging.

Kind regards,
Bastiaan

[Mildur]

Hi Bastiaan

May I ask, in which log can you see this calls? Is it the Veeam.Archiver.REST*.log file?

Thanks
Fabian

[b.vanhaastrecht]

Hi Fabian, yes that's correct.

[Mildur]

Hi Bastiian

I checked the logs. I can use only one API call with "grant_type=password".
The endpoint is https://VB365-URL:4443/v6/token to get my access token for all other queries. After I got my access token, the Veeam.Archiver.REST*.log file only shows me a key id, but not the provided password:

[14.10.2022 13:30:48] 154 (11204) Authorization started (grant type: UsernamePassword)
[14.10.2022 13:30:48] 154 (11204) Adding new resource (key: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, pool: ArchiverServerSession)...
[14.10.2022 13:30:48] 154 (11204) Authorization succeeded

And my log entries for querying all jobs (https://VB365-URL:4443/v6/Jobs):

[14.10.2022 13:43:18] 137 (16444) Request: GET https://VB365-URL:4443/v6/Jobs
[14.10.2022 13:43:18] 137 (16444) Action started: Get jobs (API version: V6)
[14.10.2022 13:43:18] 137 (16444) Action completed successfully: Get jobs

Your query looks like you are using grant_type=password for querying directly https://<vbo-url>/v6/JobSessions?
I tried to do that in my lab, but only access tokens work. I can't use grant_type=password for any other endpoint.
From which VB365 version is your log file?

Thanks
Fabian

[b.vanhaastrecht]

We are using the latest version, and these logs are from the latest version P20220926.

This is a bigger log snippet:

Code: Select all

[14.10.2022 13:40:00]   68 (9920) Authorization started (grant type: UsernamePassword)
[14.10.2022 13:40:00]   68 (9920) Backup server session already exists (user=<domain>\<username> key=fe0aea77-b7ae-435b-a9ad-bdecd76xxxxxx)
[14.10.2022 13:40:00]   68 (9920) Credentials refreshed (key=fe0aea77-b7ae-435b-a9ad-bdecxxxxxx)
[14.10.2022 13:40:00]   68 (9920)  Authorization succeeded
[14.10.2022 13:40:00]   68 (9920) Request: GET https://<vbo-url>/v6/Jobs?limit=1000000&username=<domain>%5C<username>&grant_type=password&password=<password>
[14.10.2022 13:40:00]   68 (9920) Action started: Get jobs (API version: V6)
[14.10.2022 13:40:00]   68 (9920) Action completed successfully: Get jobs

The authentication request does not reveil the password but the up following resource requests does.

[b.vanhaastrecht]

Ok, is seems disabling extended logging needs a restart of both "Veeam Backup for Microsoft 365 Service" and "Veeam Backup Proxy for Microsoft 365 Service" service. After disabling extended logging and restart these servers the resource url entry is no longer added to the logs and so no password is logged. So the passwords are only logged with extended logging enabled.

Nevertheless, even with extended logging passwords should never ever be written down in logs.

[Mildur]

Can you maybe share the part of your script, where you access the https://<vbo-url>/v6/Jobs?limit=1000000&username=<domain>%5C<username>&grant_type=password&password=<password> endpoint?

I believe, you have hardcoded these values in each URL you want to query.
Providing &username=<domain>%5C<username>&grant_type=password&password=<password> in this URL is unnecessary. It will not be processed by the VB365 server.

If so, please remove &username=<domain>%5C<username>&grant_type=password&password=<password> from any API calls in your script.
The only call which requires username/password in the request header is the API call to get your access token. In every other API call, username/password is not required. You only have to provide your access token in the request header as noted in our user guide. This is the supported and only secure way to do this API calls.
https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=60

Why it is in our log?
Our log will log any requested URL with any additional values you provide. It doesn't check each value if it's legit or not.
It's similar to a debug log file on a webserver, which shows you the URL the customer has requested. You can see the exact URL's the customer has used to access the webserver.

Here an example. I wrote some garbage at the end of the URL and used CURL to do the API call:

[b.vanhaastrecht]

Very interesting, I will look into this and report back. Sorry if I have incorrectly blamed Veeam for this.

[Mildur]

No, it's good to notify us about such findings.
Better to discuss it, than ignoring it.

Let me know, if my assumption was correct. If not, probably a support case would be required.

Thanks
Fabian

[b.vanhaastrecht]

You ware absolutely correct, I was adding the authentication to all subsequent requests. It's added as multipart/form-data which result it being added on the URL as parameters.

I removed the authentication from all subsequent requests and now I no longer see those passwords.

Thanks Fabian!

[Mildur]

You're welcome. Thanks for the update.
I'm glad that it is resolved.

Thanks
Fabian