Comprehensive data protection for all workloads
Post Reply
sowardsj
Novice
Posts: 4
Liked: never
Joined: Nov 14, 2017 1:19 pm
Full Name: J Sowards
Contact:

Veeam B&R Certificates and Nessus Scan vulnerability

Post by sowardsj » Jan 18, 2019 5:01 pm

Re: Support case ID 03363221

I was asked to route this case to a developer by Veeam Support. We run Tenable Nessus in our company to do vulnerability scans of our systems. During a recent scan of our systems which includes our Veeam B&R server, a medium finding was discovered (https://www.tenable.com/plugins/nessus/121009) on 4 of the 5 Veeam Certificates are issued a 10 year validity date. According to the Tenable article, the CA/Browser forum has passed a resolution that SSL/TLS certificates can no longer be valid over 825 days without triggering this vulnerability.

Is there a plan to address this issue to mitigate this vulnerability.

Thank you.

bdufour
Expert
Posts: 198
Liked: 29 times
Joined: Nov 01, 2017 8:52 pm
Full Name: blake dufour
Contact:

Re: Veeam B&R Certificates and Nessus Scan vulnerability

Post by bdufour » Jan 18, 2019 5:35 pm

we run nessus and ive never seen that vulnerability related to veeam certs. are these self signed certs or what? by default, veeam self signed certs are good for a year..

Mike Resseler
Product Manager
Posts: 5720
Liked: 605 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Veeam B&R Certificates and Nessus Scan vulnerability

Post by Mike Resseler » Jan 19, 2019 7:21 am

Hi sowardsj,

I believe bdufour is right. Can you check which certificates these are? If these are created by Veeam B&R itself I will work with our security team to dive into this. But I would need to know which certificates and how they were created first

Thanks
Mike

sowardsj
Novice
Posts: 4
Liked: never
Joined: Nov 14, 2017 1:19 pm
Full Name: J Sowards
Contact:

Re: Veeam B&R Certificates and Nessus Scan vulnerability

Post by sowardsj » Jan 21, 2019 12:57 pm

2 self signed SSL certificates with a 10 year validity date - friendly name "Veeam Self-Signed Certificate"
1 self signed SSL certificate with a 10 year validity date - friendly name "Veeam Mount Service Certificate"
1 self signed SSL certificate with a 10 year validity date - friendly name "Veeam Backup Server Certificate"
1 self signed SSL certificate with a 1 year validity date - friendly name "Veeam Backup Server Certificate"

These certificates would have been created by Veeam. They were not created by our internal CA.

sowardsj
Novice
Posts: 4
Liked: never
Joined: Nov 14, 2017 1:19 pm
Full Name: J Sowards
Contact:

Re: Veeam B&R Certificates and Nessus Scan vulnerability

Post by sowardsj » Jan 21, 2019 1:01 pm

Please reference URL https://www.tenable.com/plugins/nessus/121009 which describes this vulnerability.
The article was published by Tenable on 2019/01/08 and modified 2019/01/18 so this is a recent update.

Gostev
SVP, Product Management
Posts: 24785
Liked: 3513 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam B&R Certificates and Nessus Scan vulnerability

Post by Gostev » Jan 21, 2019 8:45 pm

Yes, these are "default" self-generated certificates. Have you considered generating or using your own certificate instead?

Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 18 guests