Datto, Continuum Spar Over Security Vulnerability Disclosures


Printer-friendly version Email this CRN article

The competition between Datto and Continuum will soon expand beyond BDR and into remote management and monitoring (RMM) once Datto closes its merger with East Greenbush, N.Y.-based Autotask later in the year. Datto CEO Austin McChord will lead the combined company.

Datto agents could currently be susceptible to rogue pairing, or the ability for an attacker to pose as a new Datto device and request that data, usually in the form of backup, be sent to it. As a result, Datto said it needs to improve how its agents and devices verify each other's identity to prevent imposter devices or device impersonation.

Datto said it is working with both StorageCraft and its own agent to release an update that vastly improves its device-agent pairing and verification process, and expects to release an update that addresses the problem within the next 30 days.

Additionally, a Datto Windows Agent vulnerability was recently identified where a malformed primary whitelisted command could allow a secondary, non-whitelisted command to be executed. The whitelisted design is supposed to require that requests sent by a device to an agent will only be executed if they are whitelisted in advance.

The Datto team has already addressed this bug in its latest software, and continues to work with StorageCraft to update their software to implement command whitelisting, according to Gibbons.

"This incident has provided me with difficult judgment calls, forcing me to balance our commitment to transparency with the best ways to protect our partner community," Gibbons wrote. "We pride ourselves in putting our partner's interest first."

Datto has historically excelled at providing clarity and visibility around potential security incident, offering specificity around what occurred and outlining all the implications, according to Frank Picarello, COO of TeamLogic IT. The Mission Viejo, Calif.-based MSP has found that Datto typically does a tremendous job when it comes to threat response, mitigation, and remediation, Picarello said.    

"Datto has been extremely open about the very few issues that have occurred," Picarello said. "They don't try and cover it up. They don't try to spin it any way but the truth." 


Printer-friendly version Email this CRN article