Vulnerability Description
Datto Windows Agent allows unauthenticated remote command execution via a modified command in conjunction with CVE-2017-16673 exploitation, aka an attack with a malformed primary whitelisted command and a secondary non-whitelisted command. This affects Datto Windows Agent (DWA) 1.0.5.0 and earlier. In other words, an attacker could combine this "primary/secondary" attack with the CVE-2017-16673 "rogue pairing" attack to achieve unauthenticated access to all agent machines running these older DWA versions.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Datto | Windows Agent | <= 1.0.5.0 |
References
- https://www.datto.com/partner-security-update-nov2017MitigationPatchVendor Advisory
- https://www.datto.com/partner-security-update-nov2017MitigationPatchVendor Advisory
FAQ
What is CVE-2017-16674?
CVE-2017-16674 is a vulnerability with a CVSS score of 8.0 (HIGH). Datto Windows Agent allows unauthenticated remote command execution via a modified command in conjunction with CVE-2017-16673 exploitation, aka an attack with a malformed primary whitelisted command a...
How severe is CVE-2017-16674?
CVE-2017-16674 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-16674?
Check the references section above for vendor advisories and patch information. Affected products include: Datto Windows Agent.