Response to Common Vulnerabilities and Exposures (CVEs)

The CVE and NIST organizations publish security vulnerability reports as they are discovered, and the use cases where the vulnerability occurs is also described. Each is evaluated by our engineering team to determine if there is any vulnerability exposed for Datto appliance, then determine corrective action if needed.

Security updates are included in normal appliance updates. No manual action is necessary to have the latest security packages.

Environment

Datto SIRIS
Datto ALTO
Datto NAS

Description

Before contacting Datto Support regarding a possible CVE reported by a scanner, please do the following:

Confirm your appliance is on the latest IBU release. To view the current version, view the Device overview.
Scan your system with the latest updates of your security vulnerability scanner. Compare the results of your scan with this article. Many CVEs reported against Datto systems are false positives or do not apply to our system (see the note about scanners below). Eliminate all that do not apply.
Note any CVEs your tool reports the appliance triggered that are not resolved through this process. Provide the output of those specific CVEs to Datto support.

Datto appliances run on Ubuntu (22.04). Ubuntu is a fixed-release Linux distribution. As such, Ubuntu releases receive security updates during the support window in the form of backported patches. More information can be found here: Ubuntu Security Updates (external link).

If your Vulnerability scanner does not account for these backports, you will have many false positives in your scans.

Ubuntu's vulnerability response database can be found here: Ubuntu CVEs (external link).

Datto provides long-term support for all software delivered on our systems for customers covered under an active Datto support agreement. When Datto determines that functional or security issues require an update, Datto will supply an updated software package. This includes providing updated UIbuntu packages, updated Datto software packages, or other custom software packages used by Datto.

Samba Related CVEs

SMB signing disabled, SMB Signing not required, SMBv2 signing not required

Datto does support SMB signing, and by default, SMB signing is enabled on Datto BCDR appliances. Some devices, may still have SMB signing disabled if it has or had ShadowSnap agent based backups configured. This setting can be changed in the Remote Web under Configure > Device Settings

SMB: Service supports deprecated SMBv1 protocol

By default, the Samba Daemon on the device will negotiate to the highest SMB protocol version available from the machine with which it is communicating. If the device requires SMBv2 or higher, the Minimum SMB Protocol version can be set in the Remote Web under Configure > Device Settings.

Disabling the SMBv1 protocol version will prevent SMBv1-only legacy Samba clients from connecting to Datto NAS shares. Datto is not responsible for service degradation caused by disabling the SMBV1 protocol.

Samba End of Life Concerns

In modern vulnerability scanning software, the version number of the particular service in use may be flagged as being vulnerable with specific CVE's or end of life concerns that register within the vulnerability scanning associated database. These methods normally do not take back porting into account, which we utilize. Any kind of Samba EOL report is a false positive. Ubuntu continues to backport security patches into older versions of Samba and will continue to do so as long as the kernel version is in support.

We do not use mainline versions of Samba on our devices. Rather, we use versions that are maintained by Canonical. Canonical back-ports security updates from mainline releases into its own versions. Please consult the change log here to reference CVE's that were patched during the mainline releases:

https://launchpad.net/ubuntu/focal/+source/samba/+changelog (external link)

IPMI Related Concerns

Datto OS releases and updates do not interact directly with IPMI, but they may in the future. Newer devices may update firmware using Updating SIRIS 5 and ALTO 4 firmware. Datto recommends mitigating the risks of any flagged CVE's or audits directly referencing the IPMI through proper implementation of Security Best Practices. For the time being, the mitigation suggestions we recommend are:

Implement IP based filtering appropriate to the operating environment to restrict access to only the systems needing it.
Disable the IPMI entirely from the BIOS of the system. (Web UI> Configure> Networking> IPMI> Disable IPMI)

Self-signed certificates (Datto Windows Agent)

Self-signed certificates for the Datto Windows Agent may get flagged as an untrusted certificate in use on port 25568: "TLS/SSL certificate signed by unknown, untrusted CA: CN=dla.ca.Datto.com". This is expected behavior and poses no risk. You can safely ignore this error.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the ideas forum!
	Provide feedback for the Documentation team.