Datto 16.04 BCDR appliances and publicly disclosed vulnerabilities

Topic

This article describes the status of publicly-disclosed vulnerabilities or exposures that might appear on a vulnerability report for a network where a Datto appliance running legacy Ubuntu 16.04 is present.

For current devices running Ubuntu 20.04, see Datto 20.04 BCDR appliances and publicly disclosed vulnerabilities.

Environment

  • SIRIS
  • ALTO
  • Datto NAS

Description

Vulnerability scanning software can perform many tests that check insecure configuration options, outdated software versions, open ports, default credentials, denial of service attempts, or attempted code execution.

The software cross-references the results of these tests with public databases of disclosed vulnerabilities or exposures, most common of which is the Common Vulnerabilities and Exposures Website. The database lists these vulnerabilities and exposures by their CVE ID and ranks them in severity based upon their CVSS rating.

CVSS bases scores on the affected component's common operating environment. You should assess the risk in context to your environment and the Datto appliance. The severity, impact, and validity can change dramatically following this assessment.

To provide an example, with the Datto appliance being an Ubuntu-based system, reports regarding specific software may not be completely accurate as Ubuntu back-ports security-related software releases into older software versions that the vendor may no longer support. This backported update does not change the leading version headers that scanning tools search for and will cause a large number of reported issues. After you have installed the appropriate updates, you can consider these reported issues false positives.

Overview

Below is a table of observed CVE IDs, their current status as of the most recent Datto IRIS Release, and a description with referential information from an official source.

Datto updates this list as we identify vulnerabilities and exposures through common cases submitted to Datto Technical Support. Submit a ticket if you have questions or concerns about a CVE that does not appear below.

Common Service Related Inquiries

Invalid CIFS Logins Permitted

Deployed BCDR devices currently run Samba (Package Version 2:4.3.11+dfsg-0) / SMB, which:

  • lets the device transmit backups to the Datto Cloud
  • Provides access to NAS shares on the device for data restoration.

‘Null’ sessions are a traditional SMB message block that let the appropriate Windows processes aid in the call for RPC operations on a remote system. These sessions can have security implications.

Datto maintains records of publicly disclosed vulnerabilities and true / false positives (see the table above). We list table entry CVE-1999-0519 as “Partially Resolved” to maintain a strict balance between the product’s operational security and convenience of use, as well as to restrict conventional null sessions to user enumeration only.

In a previous IRIS release, we added the setting Restrict Anonymous=1 to the smb.conf file. This guards the service against vulnerability to a true null session while letting the product’s backup and disaster recovery functionality work as intended.

Samba Related CVEs

SMB signing disabled, SMB Signing not required, SMBv2 signing not required

Datto does not officially support SMB signing on 16.04 devices, and, by default, SMB signing is not enabled on these appliances.

Enabling SMB signing requires terminal access to the device and modifying the Samba configuration to set SMB signing as ‘mandatory.’

NOTE   Enabling SMB Signing can break ShadowSnap backups. Contact Datto Technical Support for more information.

SMB: Service supports deprecated SMBv1 protocol

By default, the Samba Daemon on the device will negotiate to the highest SMB protocol version available from the machine with which it is communicating. If the device requires SMBv2 or higher, Datto Technical Support can assist with setting the appropriate protocols within the smb.conf file.

Disabling the SMBv1 protocol version will:

  • prevent paired Server 2003 ShadowSnap agents from performing their backups.
  • prevent SMBv1-only legacy Samba clients from connecting to Datto NAS shares.

Datto is not responsible for service degradation caused by disabling the SMBV1 protocol.

Samba End of Life Concerns

In modern vulnerability scanning software, the version number of the particular service may be flagged as being vulnerable with specific CVE's or end of life concerns that register within the vulnerability scanning associated database. These methods normally do not take back porting into account, which we utilize. Any kind of Samba EOL report is a false positive. Ubuntu continues to backport security patches into older versions of Samba and will continue to do so as long as the kernel version is in support.

We do not use mainline versions of Samba on our devices. Rather, we use versions that are maintained by Canonical. Canonical back-ports security updates from mainline releases into its own versions. Consult the change log here to reference CVE's that were patched during the mainline releases:

https://launchpad.net/ubuntu/xenial/+source/samba/+changelog

IPMI Related Concerns

At the moment, Datto OS releases and updates do not interact directly with IPMI, but they may in the future. Datto recommends mitigating the risks of any flagged CVE's or audits directly referencing the IPMI through proper implementation of Security Best Practices. For the time being, the mitigation suggestions we recommend are:

  • Implement IP based filtering appropriate to the operating environment to restrict access to only the systems needing it.
  • Disable the IPMI entirely from the BIOS of the system. (Web UI -> Configure -> Networking -> IPMI) -> Disable IPMI)
  • See Secure deployment best practices for Datto appliances

Self-signed certificates (Datto Windows Agent)

Self-signed certificates for the Datto Windows Agent may get flagged as an untrusted certificate in use on port 25568: "TLS/SSL certificate signed by unknown, untrusted CA: CN=dla.ca.Datto.com". This is expected behavior and poses no risk. You can safely ignore this error.

Glossary and Additional Resources

Commonly Flagged Vulnerabilities

  • CVE ID
  • Status
  • Description (Contains external links)