MidnightBSD

Advisories for datto

CVE-2015-2081 HIGH

Datto ALTO and SIRIS devices allow Remote Code Execution via unauthenticated requests to PHP scripts.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
datto siris_virtual_firmware -
datto siris_3_firmware -
datto siris_3_x_all-flash_firmware -
datto alto_imaged_firmware -
datto alto_3_firmware -
datto alto_2_firmware -
datto alto_xl_firmware -
datto siris_2_firmware -
CVE-2015-9254 HIGH

Datto ALTO and SIRIS devices have a default VNC password.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
datto siris_virtual_firmware -
datto siris_3_firmware -
datto siris_3_x_all-flash_firmware -
datto alto_imaged_firmware -
datto alto_3_firmware -
datto alto_2_firmware -
datto alto_xl_firmware -
datto siris_2_firmware -
CVE-2015-9255 MEDIUM

Datto ALTO and SIRIS devices allow remote attackers to obtain sensitive information about data, software versions, configuration, and virtual machines via a request to a Web Virtual Directory.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
datto siris_virtual_firmware -
datto siris_3_firmware -
datto siris_3_x_all-flash_firmware -
datto alto_imaged_firmware -
datto alto_3_firmware -
datto alto_2_firmware -
datto alto_xl_firmware -
datto siris_2_firmware -
CVE-2015-9256 MEDIUM

Datto ALTO and SIRIS devices allow remote attackers to obtain sensitive information via access to device/VM restore mount points, because they do not have ACLs by default.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
datto siris_virtual_firmware -
datto siris_3_firmware -
datto siris_3_x_all-flash_firmware -
datto alto_imaged_firmware -
datto alto_3_firmware -
datto alto_2_firmware -
datto alto_xl_firmware -
datto siris_2_firmware -
CVE-2017-16673 LOW

Datto Backup Agent 1.0.6.0 and earlier does not authenticate incoming connections. This allows an attacker to impersonate a Datto Backup Appliance to "pair" with the agent and issue requests to this agent, if the attacker can reach the agent on TCP port 25566 or 25568, and send unspecified "specific information" by which the agent identifies a network device that is "appearing to be a valid Datto."

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
datto backup_agent *
CVE-2017-16674 MEDIUM

Datto Windows Agent allows unauthenticated remote command execution via a modified command in conjunction with CVE-2017-16673 exploitation, aka an attack with a malformed primary whitelisted command and a secondary non-whitelisted command. This affects Datto Windows Agent (DWA) 1.0.5.0 and earlier. In other words, an attacker could combine this "primary/secondary" attack with the CVE-2017-16673 "rogue pairing" attack to achieve unauthenticated access to all agent machines running these older DWA versions.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
datto windows_agent *