Password stored in Plain Text

[slanetw]

I have just been reviewing some log files for the VBO365, before generating a case, to see if i can work out what is going on and have noticed that the account that is used to manage, has the password stored in plain text in the log files (when generating the support bundle).

I am sure this is not right and it should be encrypted.

Is there a way to do this, before I generate and send some log files to Veeam? Is this an oversight, as I cant remember this in the past (unless I didn't look closely enough..)

I am using version 6.1.0.254 P20220825

Thanks

Steve

[Mildur]

Hi Steve

Can you maybe share the log file name with me?
There shouldn‘t be any passwords in plain text in the log files.
I would like to check that in my lab.

Maybe you can also provide an example (after masking the password with x or * of course).


Thanks
Fabian

[slanetw]

Hi Fabian,

The file name is Veeam.Archiver.REST_2022_10_10_21_10_24

The text i can see is as follows (with the username *** out and the password ## out)

Code: Select all

[11.10.2022 00:32:49]   19 (5888) No resources to close
[11.10.2022 00:32:49]   19 (5888) Next lifetime resource pool check time: 11/10/2022 01:32:50 ArchiverServerSession.
[11.10.2022 00:32:49]   19 (5888) Lifetime resources pool check successfully completed: ArchiverServerSession
[11.10.2022 00:32:49]  213 (3692) Request: GET https://lonvbo001.law.firm.priv:4443/v5/Jobs?limit=1000000&username=LAW%5C***********&grant_type=password&password=##########
[11.10.2022 00:32:49]  213 (3692) Action started: Get jobs (API version: V5)
[11.10.2022 00:32:49]  213 (3692) Action completed successfully: Get jobs
[11.10.2022 00:32:49]  213 (3692) Request: GET https://lonvbo001.law.firm.priv:4443/v5/Jobs/c40c7007-4d22-4ba2-8c4b-02cda00da763/JobSessions?username=LAW%5C***********&grant_type=password&password=##########
[11.10.2022 00:32:49]  213 (3692) Action started: Get jobsessions (API version: V5)
[11.10.2022 00:32:49]  213 (3692) Action completed successfully: Get jobsessions
[11.10.2022 00:32:49]  213 (3692) Request: GET https://lonvbo001.law.firm.priv:4443/v5/JobSessions/d61860d5-65c1-4e23-9b2b-bf8649d2e295/LogItems?limit=1000000&username=LAW%5C***********&grant_type=password&password=##########
[11.10.2022 00:32:49]  213 (3692) Action started: Get log (API version: V5)
[11.10.2022 00:32:49]  213 (3692) Action completed successfully: Get log
[11.10.2022 00:32:49]  213 (3692) Request: GET https://lonvbo001.law.firm.priv:4443/v5/Jobs/0ecd98f3-3a90-4bcc-9619-0725784c07b2/JobSessions?username=LAW%5C***********&grant_type=password&password=##########
[11.10.2022 00:32:49]  213 (3692) Action started: Get jobsessions (API version: V5)
[11.10.2022 00:32:49]  213 (3692) Action completed successfully: Get jobsessions

Please let me know if you need any more information.

Thanks

Steve

[Mildur]

Hi Steve

I assume it's the same issue as this one: https://forums.veeam.com/post466090.html#p466090
Please check your scripts.

It seems that in your script the URLs are hardcoded with "?username=LAW%5C***********&grant_type=password&password=##########"
That's completely unnecessary and will not even be processed by the VB365 server. You have to provide the access token within the request header.

With advanced logging, our log file will log any URL that you have tried to access the VB365 RestAPI service. Each Webserver does that.
That's why there are Access Tokens. They are the only supported and secure way to authenticate with the VB365 Rest API Endpoints and will not be logged.
https://helpcenter.veeam.com/archive/vb ... ation.html

Thanks
Fabian

[slanetw]

Hi Fabian,

That link doesnt work for the post you sent me. In addition, we are not using any scripts, that we are aware of and the config is pretty much out of the box.

Shall I arrange a support case to investigate this further?

Thanks

Steve

[Mildur]

I updated the link. It should work now.
There should be a third-party tool which is accessing this URLs:
https://lonvbo001.law.firm.priv:4443/v5/JobSessions

Any chance, that you have a monitoring or ticketing system in place?

Thanks
Fabian