-
- Enthusiast
- Posts: 58
- Liked: 12 times
- Joined: Sep 09, 2010 9:45 am
- Full Name: Anders Lorensen
- Contact:
Veeam and security
I've worked with Veeam since the first versions. I Work as a consultant and see alot of Veeam installations. I've never never hit any security related issues with the software until lately, where I found a security related bug in Veeam. A bug that looks like have existed since at least version 6.5, but with v8 became critical in my eyes.
So I wanted to report the bug to Veeam. I first tried to look on the Veeam web site if Veeam have some kind of "security task force" - Nothing found. So I made a support case with detailed info on the bug. I got met by a Level 1 supporter who did not understand the problem and scope of the problem. After asking for it to be escalated, it finally got to the state "R&D says its a known bug and will be fixed in v9".
(Case 01060568)
The bug affects all customers. (possible only when using VMWare, havent testet with HyperV). I dont want to go into details here in public, as the bug is still not fixed. The bug is not "heartbleed-critical" but could help hackers getting access to (non-veeam) systems alot easier. The bug have a simple "workaround" fix, if you know it exists. If you dont know it exists, it will expose security information about systems it backs up. Right now I fear very few people knows about it.
I was expecting more from Veeam than a personal "Known bug, fixed in a future release". I am (was) expecting to be informed about security related bugs. I trust all my data to Veeam software. How else can I trust Veeam with my very sensitive data if Veeam dont help me secure Veeam installations?
Am I missing something here? Is there a hidden mailing list that sends out information about security related issues in Veeam products? If not, consider this a "feature request"
Thanks for reading,
Anders
So I wanted to report the bug to Veeam. I first tried to look on the Veeam web site if Veeam have some kind of "security task force" - Nothing found. So I made a support case with detailed info on the bug. I got met by a Level 1 supporter who did not understand the problem and scope of the problem. After asking for it to be escalated, it finally got to the state "R&D says its a known bug and will be fixed in v9".
(Case 01060568)
The bug affects all customers. (possible only when using VMWare, havent testet with HyperV). I dont want to go into details here in public, as the bug is still not fixed. The bug is not "heartbleed-critical" but could help hackers getting access to (non-veeam) systems alot easier. The bug have a simple "workaround" fix, if you know it exists. If you dont know it exists, it will expose security information about systems it backs up. Right now I fear very few people knows about it.
I was expecting more from Veeam than a personal "Known bug, fixed in a future release". I am (was) expecting to be informed about security related bugs. I trust all my data to Veeam software. How else can I trust Veeam with my very sensitive data if Veeam dont help me secure Veeam installations?
Am I missing something here? Is there a hidden mailing list that sends out information about security related issues in Veeam products? If not, consider this a "feature request"
Thanks for reading,
Anders
-
- Chief Product Officer
- Posts: 31521
- Liked: 6699 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam and security
Hi, Anders.
Thanks for your feedback - we will discuss the best way to handle this. It's way more complex topic than you might think from user perspective, because it is considered a bad practice to draw attention to the existence of a security breach until it is fixed in the code > Responsible disclosure. As even merely hinting the product area where the issue occurs gives attackers a huge benefit in pursuing and determining it.
Nevertheless, we will review and determine the best course of actions. There simply has not been a need to establish this process before, as no security related issues were reported (or found internally). Our devs are pretty serious about security and do constant code reviews to ensure there are no holes. This is the reason why you've "never never hit any security related issues with the software", as you noted above. But, of course, it is impossible to catch everything - especially as the product gets more and more functionality. In fact, we had another security issue reported earlier that is fixed in Update 3. So, we truly appreciate any help from our users in finding those.
Rest assured, it is our policy to address any and all reported security issues in the immediate product update.
Thanks again!
Thanks for your feedback - we will discuss the best way to handle this. It's way more complex topic than you might think from user perspective, because it is considered a bad practice to draw attention to the existence of a security breach until it is fixed in the code > Responsible disclosure. As even merely hinting the product area where the issue occurs gives attackers a huge benefit in pursuing and determining it.
Nevertheless, we will review and determine the best course of actions. There simply has not been a need to establish this process before, as no security related issues were reported (or found internally). Our devs are pretty serious about security and do constant code reviews to ensure there are no holes. This is the reason why you've "never never hit any security related issues with the software", as you noted above. But, of course, it is impossible to catch everything - especially as the product gets more and more functionality. In fact, we had another security issue reported earlier that is fixed in Update 3. So, we truly appreciate any help from our users in finding those.
Rest assured, it is our policy to address any and all reported security issues in the immediate product update.
Thanks again!
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Oct 05, 2015 3:39 pm
- Full Name: ISGroup
- Location: Verona, Italy
- Contact:
Re: Veeam and security
Hi Gostev,
sorry to hijack this thread. Will Case # 00984117 be fixed with Update 3?
Thanks,
Francesco Ongaro
http://www.isgroup.it/
sorry to hijack this thread. Will Case # 00984117 be fixed with Update 3?
Thanks,
Francesco Ongaro
http://www.isgroup.it/
-
- Chief Product Officer
- Posts: 31521
- Liked: 6699 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam and security
Hi, yes it is fixed. In my previous post, I am actually talking about this issue you have found
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Oct 05, 2015 3:39 pm
- Full Name: ISGroup
- Location: Verona, Italy
- Contact:
Re: Veeam and security
Great!
If you give me a link to the patch and changelog I'll happily include it in the advisory. Do you want to review the draft before it goes public?
Thanks,
Francesco Ongaro
http://www.isgroup.it/
If you give me a link to the patch and changelog I'll happily include it in the advisory. Do you want to review the draft before it goes public?
Thanks,
Francesco Ongaro
http://www.isgroup.it/
-
- Chief Product Officer
- Posts: 31521
- Liked: 6699 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam and security
We are live > KB2068
Who is online
Users browsing this forum: BackItUp2020, GRick and 81 guests