CVE-2015-9254 – Datto ALTO and SIRIS backup appliances use a de... (How to Fix)

Q: What is the severity of CVE-2015-9254?

CVE-2015-9254 has a CVSS score of 9.8 (CRITICAL). Datto ALTO and SIRIS backup appliances use a default VNC password that is publicly known, allowing attackers to gain remote graphical access to the devices. This affects all devices that haven't changed the default VNC credentials. The vulnerability enables complete system compromise.

📋 TL;DR

Datto ALTO and SIRIS backup appliances use a default VNC password that is publicly known, allowing attackers to gain remote graphical access to the devices. This affects all devices that haven't changed the default VNC credentials. The vulnerability enables complete system compromise.

💻 Affected Systems

Products:

Datto ALTO
Datto SIRIS

Versions: All versions prior to patching

Operating Systems: Datto OS (Linux-based appliance OS)

Default Config Vulnerable: ⚠️ Yes

Notes: All devices shipped with default VNC password are vulnerable until credentials are changed or VNC is disabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system takeover with administrative privileges, data exfiltration, ransomware deployment, and use as pivot point into internal networks.

🟠

Likely Case

Unauthorized access to backup systems, potential data theft or destruction, and credential harvesting from connected systems.

🟢

If Mitigated

Limited impact if VNC is disabled or strong authentication is enforced, though other attack vectors may still exist.

🌐 Internet-Facing: HIGH - Devices exposed to internet with default credentials are trivially exploitable.

🏢 Internal Only: HIGH - Even internally, default credentials pose significant risk from insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires only VNC client and knowledge of default password. No special tools or skills needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Specific firmware updates released by Datto (exact version varies by device model)

Vendor Advisory: https://www.datto.com/security/advisories

Restart Required: Yes

Instructions:

1. Log into Datto device management interface 2. Check for firmware updates 3. Apply latest firmware update 4. Restart device 5. Change VNC password to strong unique value

🔧 Temporary Workarounds

Change VNC Password

all

Change default VNC password to strong, unique password

Access Datto web interface -> Settings -> VNC -> Change password

Disable VNC Access

all

Completely disable VNC service if not required

Access Datto web interface -> Settings -> VNC -> Disable

🧯 If You Can't Patch

Change VNC password immediately to strong, unique value
Restrict network access to VNC port (5900/tcp) using firewall rules
Monitor VNC authentication logs for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Attempt VNC connection to port 5900 using default password. If connection succeeds, device is vulnerable.

Check Version:

Check firmware version in Datto web interface under System -> About

Verify Fix Applied:

Attempt VNC connection with default password should fail. Verify new password works if VNC is required.

📡 Detection & Monitoring

Log Indicators:

Failed VNC authentication attempts
Successful VNC logins from unexpected sources
Multiple VNC connection attempts

Network Indicators:

VNC traffic (port 5900) from external IPs
VNC protocol handshakes
Brute force patterns on VNC port

SIEM Query:

source_port=5900 OR dest_port=5900 | stats count by src_ip, dest_ip

📊 Metadata

CVE ID: CVE-2015-9254

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: February 20, 2018

Last Updated: November 21, 2024

🔗 References

http://www.information-paradox.net/2015/02/cve-2015-2081-multiple-vulnerabilities.html Third Party Advisory
http://www.information-paradox.net/2015/02/cve-2015-2081-multiple-vulnerabilities.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-9254, you might also want to check these: