Datto 16.04 BCDR appliances and publicly disclosed vulnerabilities
Topic
This article describes the status of publicly-disclosed vulnerabilities or exposures that might appear on a vulnerability report for a network where a Datto appliance running legacy Ubuntu 16.04 is present.
For current devices running Ubuntu 20.04, see Datto 20.04 BCDR appliances and publicly disclosed vulnerabilities.
Environment
- SIRIS
- ALTO
- Datto NAS
Description
Vulnerability scanning software can perform many tests that check insecure configuration options, outdated software versions, open ports, default credentials, denial of service attempts, or attempted code execution.
The software cross-references the results of these tests with public databases of disclosed vulnerabilities or exposures, most common of which is the Common Vulnerabilities and Exposures Website. The database lists these vulnerabilities and exposures by their CVE ID and ranks them in severity based upon their CVSS rating.
CVSS bases scores on the affected component's common operating environment. You should assess the risk in context to your environment and the Datto appliance. The severity, impact, and validity can change dramatically following this assessment.
To provide an example, with the Datto appliance being an Ubuntu-based system, reports regarding specific software may not be completely accurate as Ubuntu back-ports security-related software releases into older software versions that the vendor may no longer support. This backported update does not change the leading version headers that scanning tools search for and will cause a large number of reported issues. After you have installed the appropriate updates, you can consider these reported issues false positives.
Overview
Below is a table of observed CVE IDs, their current status as of the most recent Datto IRIS Release, and a description with referential information from an official source.
Datto updates this list as we identify vulnerabilities and exposures through common cases submitted to Datto Technical Support. Submit a ticket if you have questions or concerns about a CVE that does not appear below.
Common Service Related Inquiries
Invalid CIFS Logins Permitted
Deployed BCDR devices currently run Samba (Package Version 2:4.3.11+dfsg-0) / SMB, which:
- lets the device transmit backups to the Datto Cloud
- Provides access to NAS shares on the device for data restoration.
‘Null’ sessions are a traditional SMB message block that let the appropriate Windows processes aid in the call for RPC operations on a remote system. These sessions can have security implications.
Datto maintains records of publicly disclosed vulnerabilities and true / false positives (see the table above). We list table entry CVE-1999-0519 as “Partially Resolved” to maintain a strict balance between the product’s operational security and convenience of use, as well as to restrict conventional null sessions to user enumeration only.
In a previous IRIS release, we added the setting Restrict Anonymous=1 to the smb.conf file. This guards the service against vulnerability to a true null session while letting the product’s backup and disaster recovery functionality work as intended.
Samba Related CVEs
SMB signing disabled, SMB Signing not required, SMBv2 signing not required
Datto does not officially support SMB signing on 16.04 devices, and, by default, SMB signing is not enabled on these appliances.
Enabling SMB signing requires terminal access to the device and modifying the Samba configuration to set SMB signing as ‘mandatory.’
NOTE Enabling SMB Signing can break ShadowSnap backups. Contact Datto Technical Support for more information.
SMB: Service supports deprecated SMBv1 protocol
By default, the Samba Daemon on the device will negotiate to the highest SMB protocol version available from the machine with which it is communicating. If the device requires SMBv2 or higher, Datto Technical Support can assist with setting the appropriate protocols within the smb.conf file.
Disabling the SMBv1 protocol version will:
- prevent paired Server 2003 ShadowSnap agents from performing their backups.
- prevent SMBv1-only legacy Samba clients from connecting to Datto NAS shares.
Datto is not responsible for service degradation caused by disabling the SMBV1 protocol.
Samba End of Life Concerns
In modern vulnerability scanning software, the version number of the particular service may be flagged as being vulnerable with specific CVE's or end of life concerns that register within the vulnerability scanning associated database. These methods normally do not take back porting into account, which we utilize. Any kind of Samba EOL report is a false positive. Ubuntu continues to backport security patches into older versions of Samba and will continue to do so as long as the kernel version is in support.
We do not use mainline versions of Samba on our devices. Rather, we use versions that are maintained by Canonical. Canonical back-ports security updates from mainline releases into its own versions. Consult the change log here to reference CVE's that were patched during the mainline releases:
https://launchpad.net/ubuntu/xenial/+source/samba/+changelog
IPMI Related Concerns
At the moment, Datto OS releases and updates do not interact directly with IPMI, but they may in the future. Datto recommends mitigating the risks of any flagged CVE's or audits directly referencing the IPMI through proper implementation of Security Best Practices. For the time being, the mitigation suggestions we recommend are:
- Implement IP based filtering appropriate to the operating environment to restrict access to only the systems needing it.
- Disable the IPMI entirely from the BIOS of the system. (Web UI -> Configure -> Networking -> IPMI) -> Disable IPMI)
- See Secure deployment best practices for Datto appliances
Self-signed certificates (Datto Windows Agent)
Self-signed certificates for the Datto Windows Agent may get flagged as an untrusted certificate in use on port 25568: "TLS/SSL certificate signed by unknown, untrusted CA: CN=dla.ca.Datto.com". This is expected behavior and poses no risk. You can safely ignore this error.
Glossary and Additional Resources

CVE is a list of publicly known cybersecurity vulnerabilities entries, each containing an identification number, a description, and at least one public reference. Numerous cybersecurity products and services around the world use CVE entries.
MITRE CVE Website(external link)

A CVE ID is the numeric portion of a CVE Entry (e.g., CVE-2013-948574) and is a standard method for identifying vulnerabilities. The syntax of this ID comprises the CVE prefix + year CVE was assigned or made public + sequence number digits.
MITRE CVE Website - What is a CVE ID?(external link)

Organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
MITRE CVE, CVE Numbering Authorities(external link)

A system created to detail the characteristics of a vulnerability and provide a numerical score representing its severity. This score commonly translates into low, medium, high, and critical values to aid proper assessment and prioritization in vulnerability management.
First CVSS User Guide (external link)

These are the Ubuntu security notices that affect the currently supported releases of Ubuntu. These security notices contain a summary of the vulnerability, affected systems, details behind the original discovery, update instructions, and other public references.
Ubuntu Security Notice Website(external link)
Commonly Flagged Vulnerabilities
- CVE ID
- Status
- Description (Contains external links)

Because all Linux systems are vulnerable to the Cobalt Strike attack tool set, it is important to note that the BCDR devices have a low attack surface. With this in mind, we find it very unlikely an attacker would be able to plant this tool set on a BCDR device. However, In order for this attack to be successful, an attacker would need ssh/console access to the device itself, which should be locked by default. We recommend ensuring strict security controls are in place internally and referencing our Secure Deployment Guide. See Secure deployment best practices for Datto appliances.

Affected*
Datto BCDR appliances utilize the gnutls_rnd() module of Samba which is affected by CVE-2022-1615. Ad BCDR appliances use the Ubuntu Linux operating system, devices are affected per Ubuntu's advisory at https://ubuntu.com/security/CVE-2022-1615, however we do not have a known path to attack devices using this vulnerability at this time. Initial assessment is that this vulnerability is a medium risk based on initial assessment from Ubuntu and Samba.

True Positive
This is technically a true positive due to the current openssh implementation, in which the 'scp' utility is apart of. However, this is considered Low Risk due to the fact that Datto support does not have any current work flows where the 'scp' utility would be used. Also, this requires both the ssh daemon to be unlocked (which it is not by default) and the attacker to have the backup-admin credentials which are stored in the partner portal which is protected by mandatory MFA. The recommended mitigation for this is to ensure the ssh daemon is turned off. Tech Support can assure this is the case.
Ubuntu Security Advisory(external link)

False Positive
This flaw is not applicable to Datto’s Samba Implementation as Samba is higher than the version needed for exploitation.
Ubuntu Security Advisory (external links): CVE-2020-14383

False Positive
This flaw is not applicable to Datto’s Samba Implementation as Samba is higher than the version needed for exploitation.
Ubuntu Security Advisory(external link)

Not Applicable
CVE-2020-14303 is not applicable to Datto's Samba implementation as Samba is not configured by Datto to use AD DC mode
Ubuntu Security Advisory(external link)

Not Applicable
Due to the way the SIRIS image is deployed, we do not natively run salt stack services on the device in a way that would allow for CVE-2020-11651,21652 to be exploited.
Ubuntu Security Advisory (external link)

Not Applicable
Due to the way the SIRIS image is deployed, we do not natively run salt stack services on the device in a way that would allow for CVE-2020-11651,21652 to be exploited.
Ubuntu Security Advisory (external link)

Not Applicable
JQuery Package does not run natively on SIRIS devices.
Security Advisory(external link)

False Positive
This flaw is not applicable to Datto’s Samba Implementation as Samba is higher than the version needed for exploitation.
Ubuntu Security Advisory (external links): CVE-2020-10760

False Positive
Our current version of Samba on the SIRIS image is 2:4.3.11+dfsg-0ubuntu0.16.04.28, which would make this a false positive and not affected. This fix was put into place on IRIS release 3.103 released on 10-20-20. Secure deployment best practices for Datto appliances (external link)

Not Applicable
CVE-2020-10704 is not applicable to Datto's Samba implementation as Samba is not configured by Datto to use AD DC mode
Ubuntu Security Advisory(external link)

False Positive
This vulnerability is not applicable to Datto's Samba implementation as Samba is currently running version 2:4.3.11+dfsg-0ub which is the upstream version released with Canonicals latest patching. This was patched in 16.04 samba release. Ubuntu Security Advisory(external link)

Not Applicable
CVE-2019-14907 is not applicable to Datto's Samba implementation as Samba is not configured by Datto to use AD DC mode.

Not Applicable
CVE-2019-14902 is not applicable to Datto's Samba implementation as Samba is not configured by Datto to use AD DC mode.

Not Applicable
CVE-2019-14861 is not applicable to Datto's Samba implementation as Samba is not configured by Datto to use AD DC mode.

Not Applicable
CVE-2019-14847 is not applicable to Datto's Samba implementation as Samba is not configured by Datto to use AD DC mode.

Not Applicable
CVE-2019-14833 is not applicable to Datto's Samba implementation as Samba is not configured by Datto to use AD DC mode.

False Positive
Ubuntu addressed this issue in (2:4.3.11+dfsg-0ubuntu0.16.04.24)
Ubuntu Security Advisory(external link)

False Positive
Ubuntu addressed this issue in (2:4.3.11+dfsg-0ubuntu0.16.04.23) security advisory.
Samba Security Advisory(external link)

False PositiveUbuntu addressed this issue in (2:4.3.11+dfsg-0ubuntu0.16.04.19) security advisory.
Samba Security Advisory (external link)

Not Applicable
CVE-2019-3824 and CVE-2019-3870 are not applicable to Datto's Samba implementation as Samba is not configured by Datto to use AD DC mode. CVE-2019-3824, CVE-2019-3870 (external links)

Not Applicable
CVE-2019-3824 and CVE-2019-3870 are not applicable to Datto's Samba implementation as Samba is not configured by Datto to use AD DC mode. CVE-2019-3824, CVE-2019-3870 (external links)

Not Applicable
Does not apply to software found in Ubuntu.

Not Applicable
The exploitation of this issue requires that Datto configure appliancesas Samba 4 AD Domain Controllers with LDAP server capabilities. Datto does not configure appliances with these settings.
Samba Security Advisory (external link)

Not Applicable
The exploitation of this issue requires that Datto configure appliancesas Samba 4 AD Domain Controllers with LDAP server capabilities. Datto does not configure appliances with these settings.
Samba Security Advisory (external link)

Not Applicable
The exploitation of this issue requires that Datto configure appliancesas Samba 4 AD Domain Controllers with LDAP server capabilities. Datto does not configure appliances with these settings.
Samba Security Advisory (external link)

Not Applicable
The exploitation of this issue requires that Datto configure appliancesas Samba 4 AD Domain Controllers with LDAP server capabilities. Datto does not configure appliances with these settings.
Samba Security Advisory (external link)

Not Applicable
The exploitation of this issue requires that Datto configure appliances as Samba 4 AD Domain Controllers with LDAP server capabilities. Datto does not configure appliances with these settings.

Not Applicable
The exploitation of this issue requires that Datto configure appliancesas Samba 4 AD Domain Controllers with LDAP server capabilities. Datto does not configure appliances with these settings.
Samba Security Advisory (external link)

False Positive
Ubuntu addressed this issue in a back-ported software release CVE-2018-15473 (external link)

Not Applicable
The exploitation of this issue requires that Datto configure appliancesas Samba 4 AD Domain Controllers with LDAPserver capabilities. Datto does not configure appliances with these settings.
Samba Security Advisory (external link)

Not Applicable
The exploitation of this issue requires that Datto configure appliances as Samba 4 AD Domain Controllers with LDAP server capabilities. Datto does not configure appliances with these settings.
Samba Security Advisory (external link)

Not Applicable
Not Applicable.(external link).

False Positive
Ubuntu addressed this issue in 2:4.3.11+dfsg-0ubuntu0.16.04.15 Samba Security Advisory (external link)

False Positive
Ubuntu addressed this issue in a back-ported software release. Intel Microcode Vulnerabilities(external link)

Not Applicable
None of the affected Apache modules are in use on Datto appliances.

Not Applicable
None of the affected Apache modules are in use on Datto appliances.

Not Applicable
None of the affected Apache modules are in use on Datto appliances.

Not Applicable
None of the affected Apache modules are in use on Datto appliances.

Not Applicable
None of the affected Apache modules are in use on Datto appliances.

Not Applicable
None of the affected Apache modules are in use on Datto appliances.

False Positive
Ubuntu addressed this issue in a back-ported software release. Netatalk Security Advisory(external link)
Datto IRIS release 3.82 on 2/11/19 also resolved this issue. IRIS Release notes

Not Applicable
Not Applicable.(external link).

False Positive
Ubuntu addressed this issue in a back-ported software release Samba Security Advisory(external link)

Not Applicable
The exploitation of this issue requires that Datto configure appliances as Samba 4 AD Domain Controllers with LDAP server capabilities.Datto does not configure appliances with these settings.
Samba Security Advisory(external link)

Not Applicable
The exploitation of this requires active print spooling and the RCP spoolss daemon to be listening. Datto does not configure devices with these settings.
Samba Security Advisory(external link)

False Positive
Datto has addressed this issue in a combined release of Datto Windows Agent version 1.0.6.0 and Datto OS 3.68.8

False Positive
Datto has addressed this issue in a combined release of ShadowSnap agent version 4.0.0 and Datto OS 3.68.8

False Positive
Ubuntu addressed this issue in a back-ported software release (external link).

Not Applicable
None of the affected Apache modules are in use on Datto appliances.

Not Applicable
None of the affected Apache modules are in use on Datto appliances.

False Positive
Ubuntu addressed this issue in a back-ported software release(external link).

False Positive
Ubuntu addressed this issue in a back-ported software release(external link).

False Positive
Ubuntu addressed this issue in a back-ported software release (external link).

False Positive
Ubuntu addressed this issue in a back-ported software release(external link).

False Positive
Ubuntu addressed this issue in a back-ported software release(external link).

Not Applicable
This CVE has been redacted and marked as N/A

False Positive
Ubuntu addressed this issue in a back-ported software release (external link).

False Positive
Ubuntu addressed this issue in a back-ported software release (external link).

False Positive
Ubuntu addressed this issue in a back-ported software release (external link).

Not Applicable
The exploitable code required for this issue does not exist in Ubuntu 16.04 LTS (external link).

False Positive
Ubuntu addressed this issue in a back-ported software release (external link).

Not Applicable
The affected software is not present in Ubuntu systems (external link).

Not Applicable
The affected software is not present in Ubuntu systems (external link).

Not Applicable
The affected software is not present in Ubuntu systems (external link).

Not Applicable
Datto does not install Apache Struts on Datto appliances.

False Positive
Ubuntu addressed this issue in a back-ported software release (external link).

False Positive
Ubuntu addressed this issue in a back-ported software release (external link).

False Positive
Ubuntu addressed this issue in a back-ported software release (external link).

False Positive
Ubuntu addressed this issue in a back-ported software release (external link).

False Positive
Ubuntu addressed this issue in a back-ported software release (external link).

Not Applicable
While present in the installed software version, the Threat Model described here does not apply to Datto appliances as users of shares are not able to configure directory configurations in this way.

False Positive
Datto addressed this issue in the Datto IRIS 3.71.3 release

In Progress
Datto is standing by for upstream providers to provide a suitable fix for affected hypervisor components. When those are available, they will be tested and included in a future release.

False Positive
Datto IRIS 3.71.3 release addressed this issue.

Not Applicable
Datto does not install Apache Struts on Datto appliances.

False Positive
Ubuntu addressed this issue in a back-ported software release (external link).

False Positive
Ubuntu addressed this issue in a back-ported software release(external link).

Not Applicable
Ubuntu addressed this issue in a back-ported software release. (external link).

False Positive
Ubuntu addressed this issue in a back-ported software release(external link).

False Positive
Ubuntu addressed this issue in a back-ported software release (external link).

False Positive
Ubuntu addressed this issue in a back-ported software release(external link).

False Positive
Ubuntu addressed this issue in a back-ported software release(external link).

False Positive
Ubuntu addressed this issue in a back-ported software release(external link).

False Positive
Ubuntu addressed this issue in a back-ported software release(external link).

False Positive
Ubuntu addressed this issue in a back-ported software release (external link).

Not Applicable
Not present in Ubuntu 16.04 systems as the required http2 module is not loaded or supported
Ubuntu Security Notice (external link).

False Positive
jQueryUI is not installed or running natively on the datto SIRIS packaging. https://ubuntu.com/security/CVE-2016-7103

False Positive
Ubuntu addressed this issue in a back-ported software release (external link).

Not Applicable
This issue does not apply to software found in Ubuntu.

False Positive
Ubuntu addressed this issue in a back-ported software release(external link)

False Positive
Ubuntu addressed this issue in a back-ported software release.(external link)

Not Applicable
Not present in Ubuntu 16.04 systems as the required http2 module is not loaded or supported..

False Positive
Ubuntu addressed this issue in a back-ported software release (external link).

False Positive
Ubuntu addressed this issue in a back-ported software release(external link)

False Positive
Ubuntu addressed this issue in a back-ported software release(external link)

False Positive
Ubuntu addressed this issue in a back-ported software release (external link)

Not Applicable
The exploitation of this issue requires that Datto configure appliances as Samba 4 AD Domain Controllers with LDAP server capabilities. Datto does not configure appliances with these settings.
Security Advisory(external link)

False Positive
Ubuntu addressed this issue in a back-ported software release.

False Positive
Ubuntu addressed this issue in a back-ported software release.

Not Applicable
By default, Datto does not deploy BCDR devices with mandatory smb signing configurations. This configuration requires a two way configuration. If you decide to do so,contact Datto tech support for assistance.
SMB Signing Overview (external link)

Not Applicable
By default, Datto does not deploy BCDR devices with mandatory smb signing configurations. This configuration requires a two way configuration. If you decide to do so,contact Datto tech support for assistance.
SMB Signing Overview (external link)

Not Applicable
The exploitation of this issue requires that Datto configure as Samba 4 AD Domain Controllers with LDAP server capabilities. Datto does not configure appliances with these settings.
Samba Security Advisory CVE-2016-2113

Not Applicable
The exploitation of this issue requires that Datto configure as Samba 4 AD Domain Controllers with LDAP server capabilities. Datto does not configure appliances with these settings.
Samba Security Advisory CVE-2016-2112

Not Applicable
The exploitation of this issue requires that Datto configure as Samba 4 AD Domain Controllers with LDAP server capabilities. Datto does not configure appliances with these settings.
Samba Security Advisory CVE-2016-2113

Not Applicable
Ubuntu addressed this issue in a back-ported software release.

Not Applicable
Not present in Ubuntu 16.04 systems as the required http2 module is not loaded or supported.

False Positive
Ubuntu has addressed this issue in a back-ported software release (external link).

Affected*
The state outlined in this CVE is the intended operating state of restores. If this is unacceptable, Enable the Secure File Restore & Export Option in the Configure Agent Settings page to require authentication to the affected shares.

False Positive These web directories are no longer accessible.

False Positive
Datto addressed this issue in the Datto OS 3.58.0 release with the deprecation of VNC capabilities.

Not Applicable
Datto IRIS stack does not run the PHP5 package that is vulnerable. An alert you may receive for this from your vulnerability scanner may indicate there is an HTTP Format String Vulnerability. This is a False Positive.

False Positive
Ubuntu addressed this issue in a back-ported software release

Not Applicable
Ubuntu addressed this issue in a back-ported software release

Not Applicable
Findings within CVE-2015-3642 are not applicable to Datto SIRIS or in software found in Ubuntu.

Not Applicable
The exploitable ‘mod_copy’ module is disabled and does not affect the installed software version.

False Positive
Datto has addressed this issue by introducing a allowlist of necessary commands for the device and agents to function as intended.

Not Applicable
Findings within CVE-2014-8730 are not applicable to Datto SIRIS or in software found in Ubuntu.
Security Advisory (external link)

Not Applicable
Current OpenSSL upstream version installed is 1.0.2g. (external link).

Not Applicable
Ubuntu addressed this issue in a back-ported software release (external link).

Not Applicable
Current upstream SSH version is OpenSSH 7.2p2 which is not vulnerable to this attack. ( external link).

False Positive
The Netatalk service on the device is configured to have an available User Authentication Method (UAM) 'cleartxt passwrd' enabled by default for the support of older Mac OS machines. If you would like the cleartxt passwrd functionality disabled, contact Datto Technical Support.

Not Applicable
This does not affect the Linux TCP stack in any meaningful way.

False Positive
The Datto IRIS software stack does not utilize the nfs-utils packaging.

Not Applicable
Normal device function (Off-site synchronization) surfaces as "SSH_EVENT_RESPOVERFLOW" alerts in certain IDS solutions. You can consider it a false-positive as it does not affect Ubuntu systems, as stated here. Configuring your IDS to block this traffic will cause offsite sync to stop running.
See SNORT rule 128-1 (external link) for more information.

Not Applicable
Normal device function (Off-site synchronization) surfaces as "SSH_EVENT_RESPOVERFLOW" alerts in certain IDS solutions. You can consider it a false-positive as it does not affect Ubuntu systems, as stated here. Configuring your IDS to block this traffic will cause offsite sync to stop running.
See SNORT rule 128-1 (external link) for more information.

True Positive
Datto addressed this issue in a Datto IRIS Software Release. However, user enumeration is still possible based on the current configurations needed for functionality. Share enumeration is not possible. We recommend following the Security Best Practices. article to further decrease any local risk.

Not Applicable

Not Applicable
Datto does not configure the exploitable WINS (Windows Internet Name Service) in Samba on Datto appliances

Affected*
The state outlined in this CVE is the intended operating state of the NFS service. Hypervisor restores and backups require this functionality.

Affected*
The state outlined in this CVE is the intended operating state of the NFS service. Hypervisor restores and backups require this functionality.

Not Applicable
Access controls for our SMB shares are appropriate for backup usage. https://nvd.nist.gov/vuln/detail/CVE-1999-0520

Partially Resolved
Datto partially addressed this issue in a recent Datto IRIS Software Release. Null sessions are no longer conventionally possible.

False Positive
Datto addressed this issue in the 3.73 release in May of 2018. Datto IRIS Release Notes

False Positive
Datto addressed this issue in the 3.73 release in May of 2018. Datto IRIS Release Notes

False Positive
Datto addressed this issue in the 3.73 release in May of 2018. Datto IRIS Release Notes

False Positive
The exploitation of this requires a blank password field to be present in the /etc/shadow file. We do not ship devices out this way. What is likely triggering this alert is a scan finding accounts which do not have passwords listed, which are the daemons running on the device. These are responsible for device / VM functionality and are locked for authentication by default.