Re: Support case ID 03363221
I was asked to route this case to a developer by Veeam Support. We run Tenable Nessus in our company to do vulnerability scans of our systems. During a recent scan of our systems which includes our Veeam B&R server, a medium finding was discovered (https://www.tenable.com/plugins/nessus/121009) on 4 of the 5 Veeam Certificates are issued a 10 year validity date. According to the Tenable article, the CA/Browser forum has passed a resolution that SSL/TLS certificates can no longer be valid over 825 days without triggering this vulnerability.
Is there a plan to address this issue to mitigate this vulnerability.
Thank you.
-
sowardsj
- Novice
- Posts: 5
- Liked: never
- Joined: Nov 14, 2017 1:19 pm
- Full Name: J Sowards
- Contact:
-
bdufour
- Expert
- Posts: 206
- Liked: 41 times
- Joined: Nov 01, 2017 8:52 pm
- Full Name: blake dufour
- Contact:
Re: Veeam B&R Certificates and Nessus Scan vulnerability
we run nessus and ive never seen that vulnerability related to veeam certs. are these self signed certs or what? by default, veeam self signed certs are good for a year..
-
Mike Resseler
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: Veeam B&R Certificates and Nessus Scan vulnerability
Hi sowardsj,
I believe bdufour is right. Can you check which certificates these are? If these are created by Veeam B&R itself I will work with our security team to dive into this. But I would need to know which certificates and how they were created first
Thanks
Mike
I believe bdufour is right. Can you check which certificates these are? If these are created by Veeam B&R itself I will work with our security team to dive into this. But I would need to know which certificates and how they were created first
Thanks
Mike
-
sowardsj
- Novice
- Posts: 5
- Liked: never
- Joined: Nov 14, 2017 1:19 pm
- Full Name: J Sowards
- Contact:
Re: Veeam B&R Certificates and Nessus Scan vulnerability
2 self signed SSL certificates with a 10 year validity date - friendly name "Veeam Self-Signed Certificate"
1 self signed SSL certificate with a 10 year validity date - friendly name "Veeam Mount Service Certificate"
1 self signed SSL certificate with a 10 year validity date - friendly name "Veeam Backup Server Certificate"
1 self signed SSL certificate with a 1 year validity date - friendly name "Veeam Backup Server Certificate"
These certificates would have been created by Veeam. They were not created by our internal CA.
1 self signed SSL certificate with a 10 year validity date - friendly name "Veeam Mount Service Certificate"
1 self signed SSL certificate with a 10 year validity date - friendly name "Veeam Backup Server Certificate"
1 self signed SSL certificate with a 1 year validity date - friendly name "Veeam Backup Server Certificate"
These certificates would have been created by Veeam. They were not created by our internal CA.
-
sowardsj
- Novice
- Posts: 5
- Liked: never
- Joined: Nov 14, 2017 1:19 pm
- Full Name: J Sowards
- Contact:
Re: Veeam B&R Certificates and Nessus Scan vulnerability
Please reference URL https://www.tenable.com/plugins/nessus/121009 which describes this vulnerability.
The article was published by Tenable on 2019/01/08 and modified 2019/01/18 so this is a recent update.
The article was published by Tenable on 2019/01/08 and modified 2019/01/18 so this is a recent update.
-
Gostev
- Chief Product Officer
- Posts: 31804
- Liked: 7298 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam B&R Certificates and Nessus Scan vulnerability
Yes, these are "default" self-generated certificates. Have you considered generating or using your own certificate instead?
Who is online
Users browsing this forum: Bing [Bot], mkretzer, Semrush [Bot], Steve-nIP and 150 guests