Datto Backup Agent 1.0.6.0 and earlier does not authenticate incoming connections. This allows an attacker to impersonate a Datto Backup Appliance to "pair" with the agent and issue requests to this agent, if the attacker can reach the agent on TCP port 25566 or 25568, and send unspecified "specific information" by which the agent identifies a network device that is "appearing to be a valid Datto."
References
Link | Resource |
---|---|
https://www.datto.com/partner-security-update-nov2017 | Mitigation Patch Vendor Advisory |
https://www.datto.com/partner-security-update-nov2017 | Mitigation Patch Vendor Advisory |
Configurations
History
21 Nov 2024, 03:16
Type | Values Removed | Values Added |
---|---|---|
References | () https://www.datto.com/partner-security-update-nov2017 - Mitigation, Patch, Vendor Advisory |
Information
Published : 2017-11-09 04:29
Updated : 2024-11-21 03:16
NVD link : CVE-2017-16673
Mitre link : CVE-2017-16673
CVE.ORG link : CVE-2017-16673
JSON object : View
Products Affected
datto
- backup_agent
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor