Datto 20.04 BCDR appliances and publicly disclosed vulnerabilities
Topic
This article describes the status of publicly-disclosed vulnerabilities or exposures that might appear on a vulnerability report for a network where a Datto appliance running Ubuntu 20.04 is present. For older devices running Ubuntu 16.04, see Datto 16.04 appliances and publicly disclosed vulnerabilities.
Environment
- SIRIS
- ALTO
- Datto NAS
Description
Vulnerability scanning software performs many tests that check insecure configuration options, outdated software versions, open ports, default credentials, denial of service attempts, or attempted code execution.
The software cross-references the results of these tests with public databases of disclosed vulnerabilities or exposures, most common of which is the Common Vulnerabilities and Exposures Website. The database lists these vulnerabilities and exposures by their CVE ID and ranks them in severity based upon their CVSS rating.
CVSS bases scores on the affected component's common operating environment. You should assess the risk in context to your environment and the Datto appliance. The severity, impact, and validity can change dramatically following this assessment.
To provide an example, with the Datto appliance being an Ubuntu-based system, reports regarding specific software may not be completely accurate as Ubuntu back-ports security-related software releases into older software versions that the vendor may no longer support. This backported update does not change the leading version headers that scanning tools search for and will cause a large number of reported issues. After you have installed the appropriate updates, you can consider these reported issues false positives.
Overview
Below is a table of observed CVE IDs, their current status as of the most recent Datto IRIS Release, and a description with referential information from an official source.
Datto updates this list as we identify vulnerabilities and exposures through common cases submitted to Datto Technical Support. Submit a ticket if you have questions or concerns about a CVE that does not appear below.
Please Note - We can only provide information relating to Common Vulnerabilities and Exposures (CVEs) as these are very specific potential vulnerabilities which we can tangibly assess.
If you do not have a CVE ID, we recommend reaching out to the owner/manufacturer of the vulnerability scanner used.
Common Service Related Inquiries
Invalid CIFS Logins Permitted
Deployed BCDR devices currently run Samba (Package Version 2:4.3.11+dfsg-0) / SMB, which:
- lets the device transmit backups to the Datto Cloud
- Provides access to NAS shares on the device for data restoration.
‘Null’ sessions are a traditional SMB message block that let the appropriate Windows processes aid in the call for RPC operations on a remote system. These sessions can have security implications.
Datto maintains records of publicly disclosed vulnerabilities and true / false positives (see the table above). We list table entry CVE-1999-0519 as “Partially Resolved” to maintain a strict balance between the product’s operational security and convenience of use, as well as to restrict conventional null sessions to user enumeration only.
In a previous IRIS release, we added the setting Restrict Anonymous=1 to the smb.conf file. This guards the service against vulnerability to a true null session while letting the product’s backup and disaster recovery functionality work as intended.
Samba Related CVEs
SMB signing disabled, SMB Signing not required, SMBv2 signing not required
Datto does support SMB signing, and by default, SMB signing is enabled on Datto BCDR appliances. Some devices, may still have SMB signing disabled if it has or had ShadowSnap agent based backups configured. This setting can be changed in the Device Web under Configure > Device Settings
NOTE Enabling SMB Signing can break ShadowSnap backups. Contact Datto Technical support for more information.
SMB: Service supports deprecated SMBv1 protocol
By default, the Samba Daemon on the device will negotiate to the highest SMB protocol version available from the machine with which it is communicating. If the device requires SMBv2 or higher, the Minimum SMB Protocol version can be set in the Device Web under Configure > Device Settings.
Disabling the SMBv1 protocol version will:
- prevent paired Server 2003 ShadowSnap agents from performing their backups.
- prevent SMBv1-only legacy Samba clients from connecting to Datto NAS shares.
Datto is not responsible for service degradation caused by disabling the SMBV1 protocol
Samba End of Life Concerns
In modern vulnerability scanning software, the version number of the particular service in use may be flagged as being vulnerable with specific CVE's or end of life concerns that register within the vulnerability scanning associated database. These methods normally do not take back porting into account, which we utilize. Any kind of Samba EOL report is a false positive. Ubuntu continues to backport security patches into older versions of Samba and will continue to do so as long as the kernel version is in support.
We do not use mainline versions of Samba on our devices. Rather, we use versions that are maintained by Canonical. Canonical back-ports security updates from mainline releases into its own versions. Please consult the change log here to reference CVE's that were patched during the mainline releases:
https://launchpad.net/ubuntu/focal/+source/samba/+changelog (external link)
IPMI Related Concerns
Datto OS releases and updates do not interact directly with IPMI, but they may in the future. Newer devices may update firmware using Updating SIRIS 5 and ALTO 4 firmware. Datto recommends mitigating the risks of any flagged CVE's or audits directly referencing the IPMI through proper implementation of Security Best Practices. For the time being, the mitigation suggestions we recommend are:
- Implement IP based filtering appropriate to the operating environment to restrict access to only the systems needing it.
- Disable the IPMI entirely from the BIOS of the system. (Web UI> Configure> Networking> IPMI> Disable IPMI)
Self-signed certificates (Datto Windows Agent)
Self-signed certificates for the Datto Windows Agent may get flagged as an untrusted certificate in use on port 25568: "TLS/SSL certificate signed by unknown, untrusted CA: CN=dla.ca.Datto.com". This is expected behavior and poses no risk. You can safely ignore this error.
Glossary and Additional Resources

CVE is a list of publicly known cybersecurity vulnerabilities entries, each containing an identification number, a description, and at least one public reference. Numerous cybersecurity products and services around the world use CVE entries.
MITRE CVE Website(external link)

A CVE ID is the numeric portion of a CVE Entry (e.g., CVE-2013-948574) and is a standard method for identifying vulnerabilities. The syntax of this ID comprises the CVE prefix + year CVE was assigned or made public + sequence number digits.
MITRE CVE Website - What is a CVE ID?(external link)

Organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
MITRE CVE, CVE Numbering Authorities(external link)

A system created to detail the characteristics of a vulnerability and provide a numerical score representing its severity. This score commonly translates into low, medium, high, and critical values to aid proper assessment and prioritization in vulnerability management.
First CVSS User Guide(external link)

These are the Ubuntu security notices that affect the currently supported releases of Ubuntu. These security notices contain a summary of the vulnerability, affected systems, details behind the original discovery, update instructions, and other public references.
Ubuntu Security Notice Website(external link)
Commonly Flagged Vulnerabilities
- CVE ID
- Status
- Description (Contains external links)

Because all Linux systems are vulnerable to the Cobalt Strike attack tool set, it is important to note that the BCDR devices have a low attack surface. With this in mind, we find it very unlikely an attacker would be able to plant this tool set on a BCDR device. However, In order for this attack to be successful, an attacker would need ssh/console access to the device itself, which should be locked by default. We recommend ensuring strict security controls are in place internally and referencing our Secure Deployment Guide.

True Positive
This is considered Low Risk by Datto Support and may be remediated in the future with a firmware update. The Firmware Lock Down functionality of the device is optional, not enabled by default. This also requires both the SSH daemon to be unlocked (which is not by default) and the attacker to have the backup-admin credentials of the device, which are stored in your Portal with mandatory multifactor authentication. The recommended mitigation for this is to ensure the SSH daemon is turned off. Tech Support can assure this is the case.
Dell Knowledge Base: https://www.dell.com/support/kbdoc/en-us/000205346/dsa-2022-265-dell-idrac8-and-dell-idrac9-security-update-for-a-racadm-vulnerability

Affected*
Datto BCDR appliances utilize the gnutls_rnd() module of Samba which is affected by CVE-2022-1615. Ad BCDR appliances use the Ubuntu Linux operating system, devices are affected per Ubuntu's advisory at https://ubuntu.com/security/CVE-2022-1615, however we do not have a known path to attack devices using this vulnerability at this time. Initial assessment is that this vulnerability is a medium risk based on initial assessment from Ubuntu and Samba.

CVE-2016-2114, CVE-2016-2115
False Positive
This vulnerability does not apply to Datto's Samba implementation. Samba is currently running version 2:4.3.11+dfsg-0ub, which is the upstream version released with Canonicals latest patching.
Ubuntu security advisory (external links):

False Positive (Datto IRIS 4.12.5)
If your scanner is detecting this CVE on your appliance, please ensure it is on the latest OS image available as this has been patched in Datto IRIS Datto IRIS 4.12.5.

False Positive (Datto IRIS 4.12.5)
If your scanner is detecting this CVE on your appliance, please ensure it is on the latest OS image available as this has been patched in Datto IRIS Datto IRIS 4.12.5.

False positive
This issue only affects Apache version 2.4.49 which the SIRIS devices do not currently run. There is also a security advisory direct from Canonical which discusses the current upstream fixes and vulnerable versions
Ubuntu security advisory(external link)

False Positive
We are past the backported versions that were patched. Current apach2 package on appliances 2.4.41-4ubuntu3.8.
Ubuntu security advisory(external link)

False Positive
We are past the backported versions that were patched. Devices are currently on 2:2.0.10-0ubuntu0.20.04.3
Ubuntu security advisory(external link)

False Positive
This vulnerability has been patched on the latest Canonical release, and is not applicable to the version of Samba that exists on the Datto appliance.
Ubuntu security advisory(external link)

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2021-3738

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2021-3671

Not applicable

‘Local privilege escalation using polkit_system_bus_name_get_creds_sync()’
False Positive
This vulnerability is contingent on the policykit-1 package being present on an Ubuntu 20.04 system and was backported as a fix on version (0.105-26ubuntu1.1). This is the latest backported version on current 20.04 datto appliances. Devices on 16.04 do not possess the policykit-1 package code.
Ubuntu security advisory(external link)

False Positive
We are past the backported versions that were patched. Devices are currently on 1:8.2p1-4ubuntu0.4
Ubuntu security advisory(external link):

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links):CVE-2020-25722

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2020-25721

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2020-25719

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2020-25718

False Positive
This CVE does not apply to software in Ubuntu archives
Ubuntu security advisory(external link)

True Positive
This is technically a true positive due to the current openssh implementation in which the 'scp' utility is part of. However, this is considered Low Risk as Datto support does not have any current work flows where the 'scp' utility would be used.This also requires both the ssh daemon to be unlocked (which it is not by default) and the attacker to have the backup-admin credentials which are stored in your Portal with mandatory multifactor authentication. The recommended mitigation for this is to ensure the ssh daemon is turned off. Tech Support can assure this is the case.
Ubuntu Security Advisory(external link)

False Positive
This vulnerability does not apply to Datto's Samba implementation. Samba is currently running version 2:4.3.11+dfsg-0ub, which is the upstream version released with Canonicals latest patching. This was patched in the 16.04 Samba release
Ubuntu security advisory(external link)

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2020-14303

Not Applicable
Ubuntu addressed this issue in (apache2 2.4.18-2ubuntu3 ) security advisory. We also do not run the "mod_http2" Apache module on SIRIS devices.
Ubuntu Security Advisory(external link)

Not Applicable
Ubuntu addressed this issue in (apache2 2.4.18-2ubuntu3 ) security advisory. We also do not run the 'mod_uwsgi' Apache module on SIRIS devices.
Ubuntu Security Advisory(external link)

Not Applicable
Due to the way the SIRIS image is deployed, we do not natively run salt stack services on the device in a way that would allow for CVE-2020-11651,21652 to be exploited.

Not Applicable
Due to the way the SIRIS image is deployed, we do not natively run salt stack services on the device in a way that would allow for CVE-2020-11651,21652 to be exploited.

Not Applicable
If your scanner is detecting this CVE on your appliance, please ensure it is on the latest OS image available as this has been patched in Datto IRIS 4.11.13 - 2022-02-10.

Not Applicable
If your scanner is detecting this CVE on your appliance, please ensure it is on the latest OS image available as this has been patched in Datto IRIS 4.11.13 - 2022-02-10.

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2020-10730

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2020-10704

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2020-10700

Not Applicable
Ubuntu addressed this issue in (apache2 2.4.18-2ubuntu3 )
Ubuntu Security Advisory(external link)

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2019-14861

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2019-14907

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2019-14902

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2019-14861

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2019-14847

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2019-14833

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2019-14907

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2019-14902

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2019-14847

Not Applicable
Datto's implementation of Samba is not configured to use AD DC mode but still can be detected by your scanner. Should you see a Samba CVE that is not mentioned in this documentation please confirm if the CVE(s) in question are in regards to the use of Samba in AD DC. If so, it can be considered not applicable given the configuration required for the vulnerability to be exploited.
Ubuntu Security Advisory (external links): CVE-2019-14833

False Positive
Ubuntu addressed this issue in a back-ported software release
Ubuntu Security Advisory(external link)

False Positive
Datto has addressed this issue in a combined release of Datto Windows Agent version 1.0.6.0 and Datto OS 3.68.8

False Positive
Datto has addressed this issue in a combined release of ShadowSnap agent version 4.0.0 and Datto OS 3.68.8

False Positive
Ubuntu addressed this issue in a back-ported software release (external link)

Not Applicable
While present in the installed software version, the Threat Model described here does not apply to Datto appliances as users of shares are not able to configure directory configurations in this way.

In Progress
Datto is standing by for upstream providers to provide a suitable fix for affected hypervisor components. When those are available, they will be tested and included in a future release.

False Positive
Datto IRIS 3.71.3 release addressed this issue.

False Positive
Ubuntu addressed this issue in a back-ported software release(external link).

False Positive
Ubuntu addressed this issue in a back-ported software release(external link).

False Positive
Ubuntu addressed this issue in a back-ported software release(external link).

False Positive
Ubuntu addressed this issue in a back-ported software release(external link).

False Positive
Ubuntu addressed this issue in a back-ported software release(external link).

False Positive
If your scanner is detecting this CVE on your appliance, please ensure it is on the latest OS image available as this has been patched in Datto IRIS 4.11.13 - 2022-02-10.
Ubuntu Security Advisory(external link)

Not Applicable
This CVE does not apply to software in Ubuntu archives
Ubuntu Security Advisory(external link)

CVE-2020-27840
False Positive
We are past the backported versions that were patched. Devices are currently on 2:2.0.10-0ubuntu0.20.04.3
Ubuntu security advisory(external link)

CVE-2020-27840
False Positive
We are past the backported versions that were patched. Devices are currently on 2:2.0.10-0ubuntu0.20.04.3
Ubuntu security advisory(external link)

False Positive
We are well past the backported versions that were patched. Current openssl package on appliances 1.1.1f-1ubuntu2.8.
Ubuntu Security Advisory(external link)