Comprehensive data protection for all workloads
Post Reply
mpasaa
Enthusiast
Posts: 36
Liked: 2 times
Joined: Sep 08, 2009 3:28 pm
Full Name: Mike Audet

DROWN SSL status Veeam 9

Post by mpasaa »

Does anyone have any information on Veeam 9 (latest build) and whether all of the recent SSL vulnerabilities such as DROWN have been addressed? I've got a security team saying our Veeam server is vulnerable but I've even added the requisite SSL regkeys to explicitly disable both SSL 2 & 3 AND the only thing running on this server is Veeam. Nothing complicated. If anyone can send me links to documents stating this app is not vulnerable I can forward that info on to these security guys and get on with life :-) thanks....
foggy
Veeam Software
Posts: 21139
Liked: 2141 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: DROWN SSL status Veeam 9

Post by foggy »

Hi Mike, here's a quote from the three months old Veeam Community Digest by Anton:
Gostev wrote:Another major OpenSSL vulnerability known as DROWN attack was discovered last week, and it is said to affect one third of all HTTPS web sites on the internet. The actual issue sits in SSL v2 protocol, and it allows attacker to expose private RSA keys, thus enabling them to break TLS. Addressing the vulnerability should be the highest priority since it looks very easy to exploit, for example it took researchers under 8 hours to do this using Amazon EC2 at a cost of $440 (what a nice tool for hackers this). You can test your web-site using the web-based test tool. Veeam web site has been promptly patched last week, while our products are not affected (hail Windows, hail Secure Channel).
mpasaa
Enthusiast
Posts: 36
Liked: 2 times
Joined: Sep 08, 2009 3:28 pm
Full Name: Mike Audet

Re: DROWN SSL status Veeam 9

Post by mpasaa »

Thanks for the info. I am not concerned with Veeam's website as much as I was with their application which is what our security teams scan all the time. The last line of the excerpt answers my question...their apps are not affected and is all I need to know...awesome! if they still see a vulnerability after confirming this app is OK and all Windows regkeys explicitly disabling both SSL 2 & 3 THEN their security tools are the problem. Cool.thx
mpasaa
Enthusiast
Posts: 36
Liked: 2 times
Joined: Sep 08, 2009 3:28 pm
Full Name: Mike Audet

Re: DROWN SSL status Veeam 9

Post by mpasaa »

I just made a GPO change to address this Microsoft Security Advisory 3009008 and also added the SSL 2.0 & 3.0 registry keys to my Veeam server to disable both and now I see this error on all of my jobs. Either Veeam doesn't like the local registry key or the GPO

Failed to create processing task for VM <name removed>Error: Provider load failure
Error: The remote procedure call was cancelled RPC function call failed. Function name: [DoRpc]. Target machine: [IP removed]. The remote procedure call was cancelled RPC function call failed. Function name: [DoRpc]. Target machine: [IP removed].

Local regkey change is this and I've done this on other servers and Veeam has never had an issue backing them up so I am thinking Veeam has an issue with its own registry key set to this OR the GPO from the above ADVISORY is now causing issues with all backups.

Disable SSL 3.0 in Windows
For Server Software
You can disable support for the SSL 3.0 protocol on Windows by following these steps:
1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
2. In Registry Editor, locate the following registry key:
Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New ‐> Key option from the
Edit menu.
3. On the Edit menu, click Add Value.
4. In the Data Type list, click DWORD.
5. In the Value Name box, type Enabled, and then click OK.
Note If this value is present, double‐click the value to edit its current value.
6. In the Edit DWORD ﴾32‐bit﴿ Value dialog box, type 0 .
7. Click OK. Restart the computer.

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
3.0\Server
skrause
Veteran
Posts: 487
Liked: 106 times
Joined: Dec 08, 2014 2:58 pm
Full Name: Steve Krause
Contact:

Re: DROWN SSL status Veeam 9

Post by skrause »

Did you reboot the Veeam server after applying the GPO? schannel changes require a system reboot to take effect.
Steve Krause
Veeam Certified Architect
mpasaa
Enthusiast
Posts: 36
Liked: 2 times
Joined: Sep 08, 2009 3:28 pm
Full Name: Mike Audet

Re: DROWN SSL status Veeam 9

Post by mpasaa »

Rebooted several times already. I just removed the SERVER regkeys from the Microsoft advisory and rebooted and was able to run a manual backup on a previously failed server. I am letting our backups run for a couple of days to see if that's all I needed to do OR if this GPO is the culprit. Clearly, blocking/disabling ssl via these keys appears to break Veeam on some level. Not sure if forcing it to use TLS connections or something else is the issue.
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], Kazz and 92 guests