EDIT: Datto’s official response here: http://www.datto.com/sbsresponse
I don’t work for Datto, but I have a large enough fleet of devices that there’s probably a ‘Most Wanted’ poster in their office with my name on it. I know a lot of people in the support department and there’s likely a collective “Oh no, him again!” when a new ticket comes in from my email address.
This morning, I saw a post come up on /r/netsec about security issues on Datto appliances. Reading this, I wanted to make a post about my take on these from an MSP’s perspective. I’ll write my thoughts on each subsection of the post by Silent Break Security, available here: http://silentbreaksecurity.com/tearing-apart-a-datto/
Initial Access:
The VNC password is absolutely well documented, it’s known all over the place. That being said, how are people getting access to the VNC server in the first place? Unless you forward a port or put a public IP on one of these devices, nobody can get into them without already being connected to you internal network.
To be fair, this doesn’t apply to internal power users who might want to snoop, but for as long as I can remember there has been the option to change the VNC password. To my knowledge, this will not impact support’s ability to work on the device, so this should be changed and documented for all of the devices in your fleet. It’s rare that I need to VNC in anyway and it always means that something else isn’t working (usually because a client’s firewall is blocking remote web, and even then I’ll usually just use the web UI from a server).
backup-admin is the account that you need to use to SSH into the appliance as it can su to root via sudo. Of course, this does require having a portal login to find out backup-admin’s password in the first place. I will say that I’ve never seen a backup-admin password change, which wouldn’t be a bad idea.
aurorauser’s password is also pretty well known, but Datto isn’t as forthcoming about it as the VNC password. I’m not really sure why this account exists, to be honest. I always just assumed that it was so the console could be logged in already when an end customer connected a monitor. I’d like to see this account disabled (depending on how that would impact other functions) and be presented with a login prompt (either a text based one or a graphical display manager) and do away with the automatic login of aurorauser.
Pulling out the root:
Nothing to say here. Time to update your fleet, Datto users.
Building a backdoor
This is bad-ish IMO. At this point you’re already root, so I’m not surprised that there’s a way to add users to the web UI. I’m not sure it matters though as pretty much everything can be done with snapctl/speedsync and the normal Linux commands (especially related to zfs) anyway.
Finding the keys:
I’m combining this and the next section into one paragraph. This is bad, but not as bad as it may seem. I didn’t know that snapctl had the addAgentPassphrase option. The problem I have with it is that Datto’s marketing makes the point that nobody, not even Datto, can help you if you forget your password. Here’s the thing, though. This is all only going to work if the agent is already unlocked. Meaning, after a reboot, *somebody* needed to know the correct passphrase before unlocking it, so presumably you need to have already unlocked the agent (it’s probably already unlocked to be fair), have root (not too hard if you’ve not upgraded to Ubuntu 12 yet) and that’s about it. This is a risk for sure, but closing the aurorauser hole will fix it.
The obfuscated source is annoying, though and. My first thought is ‘why bother’? You’re likely not going to be able to see these without root and it doesn’t buy you much aside from needing to remember to run it through the obfuscater when making changes.
This doesn’t take into account the possibility of support adding one surreptitiously, but I don’t think it’s fair to expect Datto to be able to mitigate the possibility of a rogue support agent.
I don’t really consider sending commands to the agent and the other things you can do with snapctl to be a major security risk. I know that these are used for troubleshooting.
Summary:
I think a lot of good can be done by the following:
- Updating all appliances to Ubuntu 12 (and staying on top of patches as they are released)
- Changing the VNC password regularly, just like backup-admin
- Putting a login screen on the console, rather than automatically logging in aurorauser
- Clarifying what is and isn’t possible regarding encryption agents (the logging in after reboot is too much of a hassle for me to bother most of the time. That’s not Datto’s fault, i just don’t want to do it)