Thursday, February 26, 2015

CVE-2015-2081: Multiple Vulnerabilities in DATTO Siris and Alto

# Exploit Title: Multiple Vulnerabilities in DATTO Siris and Alto

# Date: 2/26/15
# Exploit Author: singularitysec@gmail.com
# Vendor Homepage: http://www.datto.com
# Version: Siris and Alto Products
# Tested on: N/A
# CVE : 2015-2081


Product Affected:
Datto Siris and Datto Alto Physical and Virtual Devices
 

These vulnerabilities have been reference checked against multiple installs. This configuration was identical across all systems and each version encountered.

Vulnerabilities:


1. VNC is enabled on the devices by default and has a static password used by the vendor.


Update: Vendor acknowledges this issue and has stated that the end users can (and should) change the VNC password inside of the administration console.

2. The version of PHP installed on the devices is a known vulnerable install with multiple vulnerabilities and vectors for attack. (PHP 5.3.2)


Update: Vendor acknowledges this issue and has stated that the versions in use are being addressed in a future release.

3. Multiple Web Virtual Directories leak sensitive information about data,  software versions, virtual machines running on the devices and configuration information via unauthenticated access to the installed webserver.


Update: Working with vendor on this issue.

4. Remote Code Execution can be accomplished by executing PHP scripts available to an unauthenticated user accessing the vulnerable webserver.


Update: Working with vendor on this issue.

5. Device/VM restore mount points allow unauthenticated access to them by default, allowing a remote attacker to access sensitive information and data.


Update: Vendor acknowledges this issue and has stated that the end users can (and should) apply an ACL to the folders created inside of the administration console.


Vendor Alerted 2-26-15 


Vendor Contact 2-26-15 to address issues and handoff initial findings.


Remediation:

Working with vendor on remediation for multiple issues.

1. Change the password for the VNC server to a suitably complex password or disable the service.

2. Implement complementary controls to detect or prevent attacks against the vulnerable attack service.
3. No update. Apply vendor patch when it is distributed.
4. No update. Apply vendor patch when it is distributed.
5. Apply an Access Control List to the folders during/after creation and restoration.Note: Information on these vulnerabilities will be updated as communication with the vendor continues.                                                                                   

Website: www.information-paradox.net

This vulnerability was discovered by singularitysec@gmail.com. Please credit the author in all references to this exploit.