CVE-2017-16674

Current Description

Datto Windows Agent allows unauthenticated remote command execution via a modified command in conjunction with CVE-2017-16673 exploitation, aka an attack with a malformed primary whitelisted command and a secondary non-whitelisted command. This affects Datto Windows Agent (DWA) 1.0.5.0 and earlier. In other words, an attacker could combine this "primary/secondary" attack with the CVE-2017-16673 "rogue pairing" attack to achieve unauthenticated access to all agent machines running these older DWA versions.

Basic Data

Published	November 09, 2017
Last Modified	October 03, 2019
Assigner	cve@mitre.org
Data Type	CVE
Data Format	MITRE
Data Version	4.0
Problem Type	NVD-CWE-noinfo
CVE Data Version	4.0

Base Metric V2

CVSS 2 - Version	2.0
CVSS 2 - Vector String	AV:A/AC:M/Au:S/C:P/I:P/A:P
CVSS 2 - Access Vector	ADJACENT_NETWORK
CVSS 2 - Access Complexity	MEDIUM
CVSS 2 - Authentication	SINGLE
CVSS 2 - Confidentiality Impact	PARTIAL
CVSS 2 - Availability Impact	PARTIAL
CVSS 2 - Base Score	4.9
Severity	MEDIUM
Exploitability Score	4.4
Impact Score	6.4
Obtain All Privilege	false
Obtain User Privilege	false
Obtain Other Privilege	false

Base Metric V3

CVSS 3 - Version	3.0
CVSS 3 - Vector String	CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS 3 - Attack Vector	ADJACENT_NETWORK
CVSS 3 - Attack Complexity	HIGH
CVSS 3 - Privileges Required	LOW
CVSS 3 - User Interaction	NONE
CVSS 3 - Scope	CHANGED
CVSS 3 - Confidentiality Impact	HIGH
CVSS 3 - Integrity Impact	HIGH
CVSS 3 - Availability Impact	HIGH
CVSS 3 - Base Score	8.0
CVSS 3 - Base Severity	HIGH
Exploitability Score	1.3
Base Severity	HIGH

Configurations

Vulnerable Software List

Vendor	Product	Versions
Datto	Windows Agent	*

References