Vulnerability Mitigation Assistance

[mloupus]

Good morning,

I have a few questions regarding a few mitigation attempts on our newly configured Veeam backup server. We are running Veeam

Given the software is powered via phpMyAdmin, would there be any way some light could be shed on remediating the following issues:

3.1.1. phpMyAdmin Credentials: user 'pma' with empty password
(http-phpmyadmin-account-pma-password-empty)
Description:
The phpMyAdmin installation is vulnerable to password guessing attacks, as it has an account with the username 'pma' and an empty password.
Affected Nodes:
Affected Nodes: Additional Information:
xxx.xxx.xxx.xxx:9443 Running HTTPS serviceBased on the following 2 results:HTTP GET request to Running HTTPS serviceBased on the following 2 results:

HTTP GET request to
https://xxx.xxx.xxx.xxx:9443/phpmyadmin/
HTTP response code was an expected 401
HTTP GET request to https://xxx.xxx.xxx.xxx/phpmyadmin/
HTTP response code was an expected 200

Vulnerability Solution:
In the config.inc.php file, either remove the values for $cfg['Servers'][$i]['user'] and $cfg['Servers'][$i]['password'] , or set a strong password in the $cfg['Servers'][$i]['password'] field. Please visit the phpMyAdmin wiki for more information.

What would be the best way to mitigate the above vulnerability on our backup server (Server 2019 v1809)?

Thank you!

Matthew Loupus
Coordinator I Network Services
Miami Dade College - North Campus
11380 NW 27th Avenue
Miami, FL 33167 I Room 1326
Dept: 305-23(7-8282)
Office: 305-23(7-8305) I Email: mloupus@mdc.edu

[Gostev]

Given the software is powered via phpMyAdmin

That is actually not a correct statement. What makes you think so?

[mloupus]

My apologies @Gostev, and thank you for the reply. I meant MySQL, if I am not mistaken. I'm completely new to Veeam administration, so please bare with me. I know it's a simple answer, but I wanted to reach out to the forums before making any changes. Please advise at your earliest convenience. It would be greatly appreciated!

Thank you again,

-Matt

[Gostev]

No Veeam products use MySQL. So as far as Veeam's concerned, feel free to make any phpMyAdmin changes required I can guarantee you this will not affect any Veeam products. Thanks!

[mloupus]

Thank you Gostev. I was just getting acclimated to Veeam for the first time and wasn't 100% clear. I very much appreciate your patience! Given a fresh install of Veeam, where would the phpMyAdmin web server installation/configuration files be located on Windows Server 2019?

For example:

I'd like to remove the "test" and "setup" directories from phpMyAdmin. Would you be able to point me in the right direction? Many thanks once again for helping me out.

Matt

[lemtargatwing]

I think I'm more curious as to why you're running phpMyAdmin on your Veeam B&R server.

[nmdange]

I suspect there's something wrong with whatever software you're using that generated that vulnerability report.

[Gostev]

Given a fresh install of Veeam, where would the phpMyAdmin web server installation/configuration files be located on Windows Server 2019?

Once again: Veeam does not install phpMyAdmin web server at all.

[krishna.kumar]

The problem Still exists in the product, though its not related to PHP / PHP admin.

The problem is with the webapp\security\windows\web.config

if you replace the web.config in the security\windows folder with the web.config in webapp\backup folder.
the url https://localhost:9443/phpmyadmin/ will stop prompting for password and show an error instead.

you can replicate the issue by accessing the url https://localhost:9443/phpmyadmin on a server with veeam Enterprise Manager installed.

This url will prompt for a password, and will accept any username, which is interpreted as a vulnerability by many of the Vulnerability scanners.

Can veeam team confirm if replacing the web.config in folder webapp\security\windows with the web.config in webapp\backup folder would cause any other issue.

[krishna.kumar]

addition:
you can replicate the issue by accessing the url:
https://localhost:9443/xyzabc as well

[krishna.kumar]

Got this from the Veeam support, this should resolve this issue:
https://www.veeam.com/kb2089

[Andreas Neufert]

Looks like you installed the enterprise manager on a system with some PHP software. (Veeam does not use PHP at all)
I would not do this.

In general all vulnerability scanners will find a lot of false positives that are under investigation not applicable in many ways.
Yes, you can tune the Internet Information Server security as needed.

[krishna.kumar]

The mention of php is confusing the whole case, there is no PHP installed on the server.
the vulnerability is highlighting a known vulnerable behaviour which is associated with PHP

if the below file is by default configured with: <add key="useWindowsAuth" value="false" />, this issue will be gone once and for all.
C:\Program Files\Veeam\Backup and Replication\Enterprise Manager\WebApp\web.config

This is as per the article: https://www.veeam.com/kb2089

[Andreas Neufert]

Thanks for the clarification. I will forward to the security team.

[Andreas Neufert]

I checked with our Security team and web team and we think that this is a false positive or better say a detection logic issue with the PHP vulnerability script.

We think what happens is the following.
With the default Windows IIS settings in place, any directory/page lookup that does not exist get the windows authentication promp . For example when you open /test.
When the authentication does not work (username password not accepted) the default behavior of IIS is to redirect to a web based authentication => A Webpage is fully loaded. Which we think your PHPADMIN scan will interpret as vulnerability falsely. (Webpage loaded but it ignores that this page then asks again for authentication).

The setting you mentioned forces IIS to go directly to web authentication. Your scanner opens the the specific page, get only the web page authentication, authentication fales with an error (instead of forwarding to next authentication webpage prompt).

It is basically a workaround for the specific test, not an security improvment.

Can you please check with the vendor of your vulnerability scan. You can PN me as well a contact of this vendor and we can discuss together.

[krishna.kumar]

Hi Andreas,

I do not have a contact for the vendor, below is the vulnerability listed on their webpage. you may pursue this if you wish.
the workaround that we applied cleared out the false positive for us.

https://www.rapid7.com/db/vulnerabiliti ... ord-empty/

Thanks & regards,
Krishna

[Andreas Neufert]

I wrote them, but not sure if they will listen.
My suggestion is that you as a customer escalate this as well (need Rapid 7 ticket ID): https://information.rapid7.com/Customer-Escalation.html