Datto 20.04 BCDR appliances and publicly disclosed vulnerabilities

Topic

This article describes the status of publicly-disclosed vulnerabilities or exposures that might appear on a vulnerability report for a network where a Datto appliance running Ubuntu 20.04 is present. For older devices running Ubuntu 16.04, see Datto 16.04 appliances and publicly disclosed vulnerabilities.

Environment

  • SIRIS
  • ALTO
  • Datto NAS

Description

Vulnerability scanning software performs many tests that check insecure configuration options, outdated software versions, open ports, default credentials, denial of service attempts, or attempted code execution.

The software cross-references the results of these tests with public databases of disclosed vulnerabilities or exposures, most common of which is the Common Vulnerabilities and Exposures Website. The database lists these vulnerabilities and exposures by their CVE ID and ranks them in severity based upon their CVSS rating.

CVSS bases scores on the affected component's common operating environment. You should assess the risk in context to your environment and the Datto appliance. The severity, impact, and validity can change dramatically following this assessment.

To provide an example, with the Datto appliance being an Ubuntu-based system, reports regarding specific software may not be completely accurate as Ubuntu back-ports security-related software releases into older software versions that the vendor may no longer support. This backported update does not change the leading version headers that scanning tools search for and will cause a large number of reported issues. After you have installed the appropriate updates, you can consider these reported issues false positives.

Overview

Below is a table of observed CVE IDs, their current status as of the most recent Datto IRIS Release, and a description with referential information from an official source.

Datto updates this list as we identify vulnerabilities and exposures through common cases submitted to Datto Technical Support. Submit a ticket if you have questions or concerns about a CVE that does not appear below.

Please Note - We can only provide information relating to Common Vulnerabilities and Exposures (CVEs) as these are very specific potential vulnerabilities which we can tangibly assess.

If you do not have a CVE ID, we recommend reaching out to the owner/manufacturer of the vulnerability scanner used.

Common Service Related Inquiries

Invalid CIFS Logins Permitted

Deployed BCDR devices currently run Samba (Package Version 2:4.3.11+dfsg-0) / SMB, which:

  • lets the device transmit backups to the Datto Cloud
  • Provides access to NAS shares on the device for data restoration.

‘Null’ sessions are a traditional SMB message block that let the appropriate Windows processes aid in the call for RPC operations on a remote system. These sessions can have security implications.

Datto maintains records of publicly disclosed vulnerabilities and true / false positives (see the table above). We list table entry CVE-1999-0519 as “Partially Resolved” to maintain a strict balance between the product’s operational security and convenience of use, as well as to restrict conventional null sessions to user enumeration only.

In a previous IRIS release, we added the setting Restrict Anonymous=1 to the smb.conf file. This guards the service against vulnerability to a true null session while letting the product’s backup and disaster recovery functionality work as intended.

Samba Related CVEs

SMB signing disabled, SMB Signing not required, SMBv2 signing not required

Datto does support SMB signing, and by default, SMB signing is enabled on Datto BCDR appliances. Some devices, may still have SMB signing disabled if it has or had ShadowSnap agent based backups configured. This setting can be changed in the Device Web under Configure > Device Settings

NOTE   Enabling SMB Signing can break ShadowSnap backups. Contact Datto Technical support for more information.

SMB: Service supports deprecated SMBv1 protocol

By default, the Samba Daemon on the device will negotiate to the highest SMB protocol version available from the machine with which it is communicating. If the device requires SMBv2 or higher, the Minimum SMB Protocol version can be set in the Device Web under Configure > Device Settings.

Disabling the SMBv1 protocol version will:

  • prevent paired Server 2003 ShadowSnap agents from performing their backups.
  • prevent SMBv1-only legacy Samba clients from connecting to Datto NAS shares.

Datto is not responsible for service degradation caused by disabling the SMBV1 protocol

Samba End of Life Concerns

In modern vulnerability scanning software, the version number of the particular service in use may be flagged as being vulnerable with specific CVE's or end of life concerns that register within the vulnerability scanning associated database. These methods normally do not take back porting into account, which we utilize. Any kind of Samba EOL report is a false positive. Ubuntu continues to backport security patches into older versions of Samba and will continue to do so as long as the kernel version is in support.

We do not use mainline versions of Samba on our devices. Rather, we use versions that are maintained by Canonical. Canonical back-ports security updates from mainline releases into its own versions. Please consult the change log here to reference CVE's that were patched during the mainline releases:

https://launchpad.net/ubuntu/focal/+source/samba/+changelog (external link)

IPMI Related Concerns

Datto OS releases and updates do not interact directly with IPMI, but they may in the future. Newer devices may update firmware using Updating SIRIS 5 and ALTO 4 firmware. Datto recommends mitigating the risks of any flagged CVE's or audits directly referencing the IPMI through proper implementation of Security Best Practices. For the time being, the mitigation suggestions we recommend are:

  • Implement IP based filtering appropriate to the operating environment to restrict access to only the systems needing it.
  • Disable the IPMI entirely from the BIOS of the system. (Web UI> Configure> Networking> IPMI> Disable IPMI)

Self-signed certificates (Datto Windows Agent)

Self-signed certificates for the Datto Windows Agent may get flagged as an untrusted certificate in use on port 25568: "TLS/SSL certificate signed by unknown, untrusted CA: CN=dla.ca.Datto.com". This is expected behavior and poses no risk. You can safely ignore this error.

Glossary and Additional Resources

Commonly Flagged Vulnerabilities

  • CVE ID
  • Status
  • Description (Contains external links)