Users Slow to Update Netgear ReadyNAS Boxes Open To Remote Exploit 53
Trailrunner7 writes with this bit of news from Threatpost "A popular NETGEAR network-attached storage product used primarily in medium-sized organizations has a gaping vulnerability that puts any data moving through a network in jeopardy. The flaw in ReadyNAS, specifically its Frontview front end, was patched via a firmware update three months ago. But according to Tripwire researcher Craig Young who discovered the issue and reported it to NETGEAR, only a fraction of Internet-facing boxes have been patched. An attacker exploiting the vulnerability could gain root access to the box. 'There's a lot of room for people to get burned on this,' Young told Threatpost. 'I felt it is important to get the message out to people that if you're running the RAIDiator firmware (prior to the current version) it's easy to attack the system. As we've found with Microsoft patches, people reverse-engineer patches to find vulnerabilities. This is the type of thing that anyone could trivially compare this firmware to the previous and see in an instant where the vulnerability is.'"
Re: (Score:2)
I always wanted to be a cosmonaut.
Why would you have this on an open network? (Score:2, Insightful)
Why is this network-attached storage device not behind a firewall? Seems kind of like you're asking for it. But then again, I've been seeing a lot of big businesses neglecting their firewall, buying into the cloud service, and then they wonder what happened.
Re: (Score:2)
Probably for the same reason they're not patched: disinterested deployment.
Re: (Score:2)
I re-sell NAS systems based on the idea that no on in an SMB setting is interested or even capable of dealing with a fully functional file server. To the folks in the office, the NAS is just "The network drive", while the guy who set it up probably isn't going to give it another thought until he hears that it's not working AND someone is offering to pay to get it fixed.
I also see a lot of NAS systems deployed as workarounds for dealing with slow IT staff response times, often because a manager someplace doe
Re: (Score:2)
I think NAS's are in the same category as SOHO routers. They suck and you should go straight to an Open Source software package on your own hardware for about the same cost.
Re: (Score:2)
You're not going to build a 5W ARM system with two or four hot-swap SATA drive bays in a decent enclosure with a decent transformer using new parts for less than what baby Synology NAS costs. I'm fully capable of assembling that sort of system but I can't do it cheaper, especially not if my time has value.
Re: Why would you have this on an open network? (Score:1)
Re: (Score:2)
Don't some of these devices offer personal "cloud services". They may need to be subject to a certain level of vulnerability in order to be fully functional.
Re: (Score:2)
yeah.. like streaming videos etc to your phone.
it's shit execution of course on pretty much every box.
Re: (Score:2)
White hat (Score:4, Funny)
How hard would it be to write a program to find vulnerable boxes and force a patch via the exploit?
Re: (Score:1)
Probably easier than getting out of jail if you used the program without permission on other people's stuff.
Re: (Score:3)
If they were just consumer products, maybe, but the risks with an unsolicited firmware update on business NAS are large enough that they probably won't want to touch it.
Re: (Score:3)
If they were just consumer products, maybe, but the risks with an unsolicited firmware update on business NAS are large enough that they probably won't want to touch it.
Any business that leaves its NAS accessible from the public internet is unlikely to notice an unsolicited firmware update (and just as unlikely to know that it's been hacked and used to serve up malware).
Re: (Score:2)
You'd hope so, but I could imagine some company somewhere has a public-facing NAS that stores the only copies of their mission-critical database, which is probably being used by some software which implodes permanently if the database becomes unavailable for more than eight seconds without prior notice.
Re: (Score:2)
Probably not.
"Hey, the db's offline again. Can you reboot the server?"
Re: (Score:2)
The kind of company that puts their NAS on the public internet strikes me as the kind whose system probably isn't that well-behaved.
Re: (Score:2)
How hard would it be to write a program to find vulnerable boxes and force a patch via the exploit?
Compared to what? It's significantly easier than testing all one by one to check if they are vulnerable.
It might be harder than transferring a small amount of money to the administrator in exchange for root access. In that scenario, the exploit would serve as an alibi for the admin to switch prison for just being fired, in case the entry was discovered; thus reducing the bribe amount.
Re: (Score:1)
How hard would it be to write a program to find vulnerable boxes and force a patch via the exploit?
From a strictly technical perspective, this particular vulnerability is in fact not hard at all to exploit and deliver a fix. diff: http://pastebin.com/aWCwdnhL [pastebin.com] We didn't actually make such a tool but VERT did discuss the possibility.
Re: (Score:2)
Yeah, that went well.
Re: (Score:2)
The firewall wouldn't change anything. If you want to access the NAS from the internet, you would open ports anyway, and leave accessible to attacks...
Re: (Score:2)
Re: (Score:2)
But no one told me (Score:5, Informative)
I have a ReadyNAS Pro 6
But I have not received any message from my NAS that there was a firmware update.
I get an E-Mail from my NAS everytime it runs it scrubbing. But have not received any messages about firmware updates.
I just logged in to my NAS and asked it to check for updates. And there was one.
If they want to get people to update the firmware. Then they should inform people that there is updates.
Re: (Score:3)
As much as getting an active notice (e.g. via e-mail) would be great, Netgear did send a passive notice, it just wasn't looked at. Best practice would be to check for updates on a regular (i.e. monthly, or more often depending the inherent level of paranoia) basis. Granted if a ReadyNAS can send notices about scrubbing, or power failure, or disk failure, it should be able to send notices about updates (Never did get why it doesn't).
If something is on the network (computer, server, NAS, application, tablet
Re: (Score:2)
Re: (Score:1)
Users slow to install security patches... (Score:1)
Re: (Score:2)
D'oh, beaten.
Are consumer ReadyNAS products vulnerable too? (Score:3)
If things like the ReadyNAS Duo or NV+ are vulnerable that's an even bigger problem, because they're even less likely to be patched than the models used by businesses.
Re: (Score:3)
The vulnerable ones are the ReadyNAS x86 based [readynas.com] models that currently are running firmware with version numbers like 4.2.X. Things like the ReadyNAS Duo are either ARM based [readynas.com] with versions 5.3.X, or SPARC based [readynas.com] with versions like 4.1.X. The buggy feature here looks like it's only on the more expensive models.
Re: (Score:2)
Thank you for your post, I have the old sparc based NAS and started to wonder if I need to patch.
(however I still have emails to remind me to install the lastest firmware 4.1.12 for sparc based NAS - security issues and DLNA features.)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
So are ARM-based ones (e.g. ReadyNAS Duo v2) not yet patched, or just not vulnerable to begin with?
Re: (Score:1)
Outside facing boxen (Score:2)
Where at the point where all outside facing devices need a mechanism for automatic updates, or at least automatic notification of updates.
I imagine that most of the ReadyNSA users have no idea they are vulnerable.
Re: (Score:3)
Nice Freudian slip there...
"Internet-facing" NAS (Score:2)
Netgear's recent incompetence (Score:2)