Security Thoughts: Veeam Backup & Replication leaks Azure Password in log

Veeam Backup & ReplicationIn Veeam Backup and Replication 9.5 versions prior to Update 4, the password for the Microsoft Azure account used by the Direct Restore to Azure functionality can be found in the log in plain text.

Veeam Backup and Replication is used by a lot of organizations worldwide to create and restore backups of systems, applications and services. Its Direct Restore to Azure functionality absolutely rocks for both backups and migrations to Azure Infrastructure as a Service (IaaS). Alas, there is a security issue that might diminish your fantastic experience with this feature…

  

The situation

You want to assign the user account in Microsoft Azure Infrastructure as a Service (IaaS) for Veeam Backup & Replication’s Direct Restore to Azure functionality with the minimum of privileges in the Azure tenant.

You follow the steps outlined in Veeam KnowledgeBase article 2702:

  1. You first create a user object in Microsoft Azure Active Directory.
  2. You run the below Windows PowerShell script to create a custom role in Microsoft Azure with minimal privileges:
      
  3. $role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()

    $role.Name
    = ‘Veeam Restore Operator’

    $role.
    Description = ‘Permissions for Veeam Direct Restore to Microsoft Azure’

    $role.
    IsCustom = $true
     

    $permissions
    = @(
    ‘Microsoft.Storage/storageAccounts/listkeys/action’,
    ‘Microsoft.Storage/storageAccounts/read’,
    ‘Microsoft.Network/locations/checkDnsNameAvailability/read’,
    ‘Microsoft.Network/virtualNetworks/read’,
    ‘Microsoft.Network/virtualNetworks/subnets/join/action’,
    ‘Microsoft.Network/publicIPAddresses/read’,
    ‘Microsoft.Network/publicIPAddresses/write’,
    ‘Microsoft.Network/publicIPAddresses/delete’,
    ‘Microsoft.Network/publicIPAddresses/join/action’,
    ‘Microsoft.Network/networkInterfaces/read’,
    ‘Microsoft.Network/networkInterfaces/write’,
    ‘Microsoft.Network/networkInterfaces/delete’,
    ‘Microsoft.Network/networkInterfaces/join/action’,
    ‘Microsoft.Network/networkSecurityGroups/read’,
    ‘Microsoft.Network/networkSecurityGroups/write’,
    ‘Microsoft.Network/networkSecurityGroups/delete’,
    ‘Microsoft.Network/networkSecurityGroups/join/action’,
    ‘Microsoft.Compute/locations/vmSizes/read’,
    ‘Microsoft.Compute/locations/usages/read’,
    ‘Microsoft.Compute/virtualMachines/read’,
    ‘Microsoft.Compute/virtualMachines/write’,
    ‘Microsoft.Compute/virtualMachines/delete’,
    ‘Microsoft.Compute/virtualMachines/start/action’,
    ‘Microsoft.Compute/virtualMachines/deallocate/action’,
    ‘Microsoft.Compute/virtualMachines/instanceView/read’,
    ‘Microsoft.Compute/virtualMachines/extensions/read’,
    ‘Microsoft.Compute/virtualMachines/extensions/write’,
    ‘Microsoft.Resources/checkResourceName/action’,
    ‘Microsoft.Resources/subscriptions/resourceGroups/read’,
    ‘Microsoft.Resources/subscriptions/resourceGroups/write’,
    ‘Microsoft.Resources/subscriptions/locations/read’

    )


    $role
    .Actions = $permissions

    $role
    .NotActions = (Get-AzureRmRoleDefinition -Name ‘Virtual Machine Contributor’).NotActions

    $subs
    = ‘/subscriptions/00000000-0000-0000-0000-000000000000’

    $role
    .AssignableScopes = $subs

    New-AzureRmRoleDefinition
    -Role $role

  4. Then, you register the newly created user object and role in Veeam Backup & Replication using the following command in an elevated Command Prompt window on the Windows Server installation running Veeam Backup & Replication:
          
  5. cd C:\Program Files\Veeam\Backup and Replication\Backup

    Veeam.backup.manager.exe REGISTERAZUREACCOUNT

The account is then ready for use.

  

The issue

When you assign the user account in Microsoft Azure Infrastructure as a Service (IaaS) for Veeam Backup & Replication’s Direct Restore to Azure functionality with the minimum of privileges in the Azure tenant, using the steps outlined in Veeam KnowledgeBase article 2702, the password for the Microsoft Azure account can be found in the C:\ProgramData\Veeam\Backup\VeeamBackupManager.log file in plain text.

This issue affects Veeam Backup & Replication 9.5 versions prior to Update 4.
The issue is described in Veeam KnowledgeBase article 2886.

    

The solution

The issue was addressed in Veeam Backup & Replication 9.5 Update 4.

Veeam Backup & Replication 9.5 Update 4 was released in January 2019. The Direct Restore to Azure functionality was made available in March 2016. The guidance to assign the user account in Microsoft Azure Infrastructure as a Service (IaaS) for Veeam Backup & Replication’s Direct Restore to Azure functionality with the minimum of privileges in the Azure tenant was first released in August 2018.

  

Call to Action

Please upgrade to Veeam Backup & Replication 9.5 Update 4.

If your organization has configured the account for Direct Restore using the guidance in Veeam KnowledgeBase article 2702, or intends to do so on Veeam Backup & Replication 9.5 versions prior to Update 4, apply the necessary security measures for the log file.

If your organization’s security principles allow you to edit or remove the log file, do so.

Further reading

Veeam “Direct Restore to Azure” Walk-Trough 
Veeam Availability Suite 9.5 Update 4 is now available. Here’s how cool it is. 
Release Information for Veeam Backup & Replication 9.5 Update 4

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.