[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Datto Windows Agent 1.0.5.0 Remote Command Execution [CVE-2017-16673][CVE-2017-16674]

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Datto Windows Agent 1.0.5.0 Remote Command Execution [CVE-2017-16673][CVE-2017-16674]
From: brainn@xxxxxxxxx
Date: Thu, 9 Nov 2017 17:55:02 GMT

Credits
=======
Brian Vincent, Michael Brumlow

Software
========
Datto Windows Agent

Vulnerability Details
=====================
Discovered: Aug 25, 2017
Type: Remote code execution as LocalSystem
Severity: Critical

Description
===========

CVE-2017-16673
Software: Datto Backup Agent for Windows, MacOS, Linux
Versions: All current versions

Datto Backup Agents rely on TLS client certificates to authenticate incoming 
requests.  These certificates and private keys are easy to obtain, even if you 
are not a Datto customer.  Once a single certificate and private key is 
obtained, it can be used to authenticate with any Datto Backup Agent.  The 
result is that there is no effective authentication on incoming connections to 
Datto Backups Agents.

This means that any attacker that can establish a TCP connection on port 25566 
or 25568 to a Datto Backup Agent can impersonate a Datto Appliance machine, and 
"pair" with a Datto agent, and issue requests.  These requests include 
performing a full system image-based backup of the machine, or executing 
certain OS commands.  A comprehensive list of requests and their capabilities 
is currently unknown.

CVE-2017-16674
Software: Datto Windows Agent
Versions: versions earlier than 1.0.6.0

The Datto Windows Agent attempts to whitelist only certain OS commands.  In 
versions earlier than 1.0.6.0, this whitelist can be easily avoided.  This 
allows arbitrary commands to be executed.

Together, these vulnerabilities result in trivial remote command execution as 
LocalSystem for the Datto Windows Agent in versions earlier than 1.0.6.0.

Vendor response
===============
https://www.datto.com/partner-security-update-nov2017

Vendor response correction
==========================
It is not necessary to be on the same local network to exploit these 
vulnerabilities.  An attacker only needs to be able to establish a TCP 
connection to the agent to exploit these vulnerabilities.

Recommendation
==============
Ensure that you are running at least version 1.0.6.0 of the Datto Windows 
agent, which fixes CVE-2017-16674.  For all Datto Backup Agents, set a local 
firewall rule to only allow incoming connections from your trusted Datto 
Appliance, as there is no fix for CVE-2017-16673 currently.

Proof of Concept
================
A proof of concept will not be posted at this time.

Prev by Date: AST-2017-009: Buffer overflow in pjproject header parsing can cause crash in Asterisk
Next by Date: [SECURITY] [DSA 4026-1] bchunk security update
Previous by thread: AST-2017-009: Buffer overflow in pjproject header parsing can cause crash in Asterisk
Next by thread: [SECURITY] [DSA 4026-1] bchunk security update
Index(es):
- Date
- Thread