Hey folks,
Here is a quick check for a Friday afternoon when it comes to your Veeam B&R installations. If you have installed Veeam B&R years and years ago and keep updating to the latest version of Veeam, have a look at the default Veeam generated Self-Signed certificate.
This can be found under the Main Menu > Options > Certificate
Inspect the ‘Signature hash algorithm’ attribute and if it shows as ‘sha1’ it might be worth re-generating the certificate. If you have vulnerability scanners, it should pick this up.
Even better, instead of using the Self-Signed Certificate, replace it with one signed by your Internal CA - https://helpcenter.veeam.com/docs/backup/vsphere/tls_internal_ca.html?ver=120
To re-generate the certificate, some instructions can be found here - https://helpcenter.veeam.com/docs/backup/vsphere/self_signed_tls.html?ver=120
Just bear in mind the following:
IMPORTANT
If you update the TLS certificate used on the backup server, you must also update info about the certificate on the following backup infrastructure components:
For AHV Backup proxies, pass through the Edit Nutanix Proxy wizard. To do this, in the Backup Infrastructure view, right-click a proxy and select Properties. In the wizard, click Finish. Also, restart the Veeam AHV Service.
For RHV Backup proxies, pass through the Edit Red Hat Virtualization Proxy wizard. To do this, in the Backup Infrastructure view, right-click a proxy and select Properties. In the wizard, click Finish.
For VMware clusters, pass through the I/O filter Management wizard as described in section Installing I/O Filter.
For VMware CDP proxies, pass through the Edit VMware CDP Proxy wizard. To do this, in the Backup Infrastructure view, right-click a proxy and select Properties. In the wizard, click Finish.
If you remove the old certificate from the Microsoft Windows certificate store, you must also reconfigure Veeam Agents added to the Computers with pre-installed agents protection group. To do this, repeat the configuration step of the Veeam Agent deployment scenario as described in the subsections of the Deploying Veeam Agents Using Generated Setup Files section. Other protection groups will be automatically reconfigured during the next rescan operation.If you do not remove the old certificate from the Microsoft Windows certificate store, all protection groups will be automatically reconfigured the next time Veeam Agents connect to the backup server.
- https://helpcenter.veeam.com/docs/backup/vsphere/backup_server_certificate.html?ver=120
So why not use SHA-1 anymore? That is because it is vulnerable to ‘collision’ vulnerabilities. With the increase in computing power available currently, it is now possible re-create a hash the matches the original hash, even though it is fraudulent. For example, if an email is encrypted with a SHA-1 algorithm, a malicious actor can potentially read the message and the recipient would not be any wiser that the message was intercepted. The third party is able to re-generate the same hash, even though the original message was tampered with.
