CVE-2017-16674

Datto Windows Agent allows unauthenticated remote command execution via a modified command in conjunction with CVE-2017-16673 exploitation, aka an attack with a malformed primary whitelisted command and a secondary non-whitelisted command. This affects Datto Windows Agent (DWA) 1.0.5.0 and earlier. In other words, an attacker could combine this "primary/secondary" attack with the CVE-2017-16673 "rogue pairing" attack to achieve unauthenticated access to all agent machines running these older DWA versions.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8 HIGH
ADJACENT_NETWORK
HIGH
LOW
CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 46%
VendorProductVersion
dattowindows_agent
𝑥
≤ 1.0.5.0
𝑥
= Vulnerable software versions
References
https://www.datto.com/partner-security-update-nov2017
https://www.datto.com/partner-security-update-nov2017