Datto revealed this week two security vulnerabilities affecting the data protection vendor's agents and one of its rivals is responsible for the disclosure.
Norwalk, Conn.-based Datto said vulnerabilities in its system could allow a rogue user to either pair with an agent or bypass agent command execution restrictions. Datto CTO Robert Gibbons detailed the specifics in a five-page open letter published Monday. Boston-based Continuum Managed Services, a Datto competitor, first reported the issues to Datto on Oct. 25.
There are currently no reports of client devices or cloud backup data being compromised as a result of these vulnerabilities, Gibbons said.
Continuum was going to provide a security update to its clients, but Datto wanted to get the word out first. Datto believed that public disclosure of an unpatched vulnerability would make users more vulnerable, Gibbons said, particularly if the exploit is unlikely to be discovered in the interim and the company is working diligently to address it.
"We are concerned that their update may focus only on worst-case scenarios, not take into account that the vast majority of our partners are IT experts with standard network security practices in place to prevent these exploits from ever being used today, and could only offer limited mitigation advice," Gibbons wrote.
Continuum's engineer team had determined that a number of its partners still using the Continuum Vault BDR (backup and disaster recovery) solution would potentially be affected by the vulnerabilities in Datto's software, Continuum CEO Michael George said in a statement. The companies stopped selling Vault in 2015 once Continuum got its own BDR offering, though the product continues to be supported through 2019.
The Continuum team was working with Datto to prepare communication that would privately inform the affected Continuum partners and ensure their technicians were aware of the situation, George said.
"At no point were specific details of the exploits included in our proposed communication to our partners, nor was this communication planned to be made public as we previously informed Datto," George said in a statement. "Continuum is acutely aware of the risks involved in broader communication."
Continuum suffered its own security incident in summer 2016 after hackers exploited the shadow of a legacy IP scanning tool left on the server of an end-user client, deploying malware and creating a few bogus admin accounts, George said in September 2016. Datto didn't respond to a request for additional information about the security vulnerabilities.
Continuum took Datto to court in late 2012 around the deliverables associated with the company's BDR partnership. A judge sided with Continuum and ordered Datto to deliver a GUI-based tool to the company.