Datto has revealed two security vulnerabilities affecting the data protection vendor's agents and one of its rivals is responsible for the disclosure.
Datto said vulnerabilities in its system could allow a rogue user to either pair with an agent or bypass agent command execution restrictions. Datto CTO Robert Gibbons detailed the specifics in a five-page open letter published Monday. Continuum Managed Services, a Datto competitor, first reported the issues to Datto on 25 October.
There are currently no reports of client devices or cloud backup data being compromised as a result of these vulnerabilities, Gibbons said.
Continuum was going to provide a security update to its clients, but Datto wanted to get the word out first. Datto believed that public disclosure of an unpatched vulnerability would make users more vulnerable, Gibbons said, particularly if the exploit is unlikely to be discovered in the interim and the company is working diligently to address it.
"We are concerned that their update may focus only on worst-case scenarios, not take into account that the vast majority of our partners are IT experts with standard network security practices in place to prevent these exploits from ever being used today, and could only offer limited mitigation advice," Gibbons wrote.
Continuum's engineer team had determined that a number of its partners still using the Continuum Vault BDR (backup and disaster recovery) solution would potentially be affected by the vulnerabilities in Datto's software, Continuum chief executive Michael George said in a statement. The companies stopped selling Vault in 2015 once Continuum got its own BDR offering, though the product continues to be supported through 2019.
The Continuum team was working with Datto to prepare communication that would privately inform the affected Continuum partners and ensure their technicians were aware of the situation, George said.
"At no point were specific details of the exploits included in our proposed communication to our partners, nor was this communication planned to be made public as we previously informed Datto," George said in a statement. "Continuum is acutely aware of the risks involved in broader communication."
Continuum suffered its own security incident in summer 2016 after hackers exploited the shadow of a legacy IP scanning tool left on the server of an end-user client, deploying malware and creating a few bogus admin accounts, George said in September 2016. Datto didn't respond to a request for additional information about the security vulnerabilities.
Continuum took Datto to court in late 2012 around the deliverables associated with the company's BDR partnership. A judge sided with Continuum and ordered Datto to deliver a GUI-based tool to the company.
The competition between Datto and Continuum will soon expand beyond BDR and into remote management and monitoring (RMM) once Datto closes its merger with Autotask later in the year. Datto chief executive Austin McChord will lead the combined company.
Datto agents could currently be susceptible to rogue pairing, or the ability for an attacker to pose as a new Datto device and request that data, usually in the form of backup, be sent to it. As a result, Datto said it needs to improve how its agents and devices verify each other's identity to prevent imposter devices or device impersonation.
Datto said it is working with both StorageCraft and its own agent to release an update that vastly improves its device-agent pairing and verification process, and expects to release an update that addresses the problem within the next 30 days.
Additionally, a Datto Windows Agent vulnerability was recently identified where a malformed primary whitelisted command could allow a secondary, non-whitelisted command to be executed. The whitelisted design is supposed to require that requests sent by a device to an agent will only be executed if they are whitelisted in advance.
The Datto team has already addressed this bug in its latest software, and continues to work with StorageCraft to update their software to implement command whitelisting, according to Gibbons.
"This incident has provided me with difficult judgment calls, forcing me to balance our commitment to transparency with the best ways to protect our partner community," Gibbons wrote. "We pride ourselves in putting our partner's interest first."