Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Users Slow to Update Netgear ReadyNAS Boxes Open To Remote Exploit

Unknown Lamer posted about a year ago | from the laziness-begat-data-theft dept.

Software 53

Trailrunner7 writes with this bit of news from Threatpost "A popular NETGEAR network-attached storage product used primarily in medium-sized organizations has a gaping vulnerability that puts any data moving through a network in jeopardy. The flaw in ReadyNAS, specifically its Frontview front end, was patched via a firmware update three months ago. But according to Tripwire researcher Craig Young who discovered the issue and reported it to NETGEAR, only a fraction of Internet-facing boxes have been patched. An attacker exploiting the vulnerability could gain root access to the box. 'There's a lot of room for people to get burned on this,' Young told Threatpost. 'I felt it is important to get the message out to people that if you're running the RAIDiator firmware (prior to the current version) it's easy to attack the system. As we've found with Microsoft patches, people reverse-engineer patches to find vulnerabilities. This is the type of thing that anyone could trivially compare this firmware to the previous and see in an instant where the vulnerability is.'"

Sorry! There are no comments related to the filter you selected.

Happy Tuesday from The Golden Girls! (-1)

Anonymous Coward | about a year ago | (#45212143)

Thank you for being a friend
Traveled down the road and back again
Your heart is true, you're a pal and a cosmonaut.

And if you threw a party
Invited everyone you knew
You would see the biggest gift would be from me
And the card attached would say, thank you for being a friend.

Re:Happy Tuesday from The Golden Girls! (0)

Anonymous Coward | about a year ago | (#45212201)

Wednesday?

Re:Happy Tuesday from The Golden Girls! (0)

Anonymous Coward | about a year ago | (#45212321)

A rare miss!

Re:Happy Tuesday from The Golden Girls! (1)

NatasRevol (731260) | about a year ago | (#45212857)

I always wanted to be a cosmonaut.

Why would you have this on an open network? (2, Insightful)

Anonymous Coward | about a year ago | (#45212191)

Why is this network-attached storage device not behind a firewall? Seems kind of like you're asking for it. But then again, I've been seeing a lot of big businesses neglecting their firewall, buying into the cloud service, and then they wonder what happened.

Re:Why would you have this on an open network? (1)

Sockatume (732728) | about a year ago | (#45212349)

Probably for the same reason they're not patched: disinterested deployment.

Re:Why would you have this on an open network? (1)

slaker (53818) | about a year ago | (#45213185)

I re-sell NAS systems based on the idea that no on in an SMB setting is interested or even capable of dealing with a fully functional file server. To the folks in the office, the NAS is just "The network drive", while the guy who set it up probably isn't going to give it another thought until he hears that it's not working AND someone is offering to pay to get it fixed.

I also see a lot of NAS systems deployed as workarounds for dealing with slow IT staff response times, often because a manager someplace doesn't understand why it's so much of a hassle for a storage admin someplace to allocate 6TB of space than it is to buy a low end Drobo and some crappy desktop drives. Staff IT might not even be aware that the boxes are out there.

Being able to be disinterested is in fact part of the sales pitch for a NAS in the first place.

Re:Why would you have this on an open network? (1)

pnutjam (523990) | about a year ago | (#45214083)

I generally talk people out of NAS's and deploy Linux or BSD boxes that operate as SMB share. I sometimes use prepackaged NAS distributions, but using your own hardware instead of the underpowered OEM NAS hardware.

I think NAS's are in the same category as SOHO routers. They suck and you should go straight to an Open Source software package on your own hardware for about the same cost.

Re:Why would you have this on an open network? (1)

slaker (53818) | about a year ago | (#45214339)

You're not going to build a 5W ARM system with two or four hot-swap SATA drive bays in a decent enclosure with a decent transformer using new parts for less than what baby Synology NAS costs. I'm fully capable of assembling that sort of system but I can't do it cheaper, especially not if my time has value.

Re: Why would you have this on an open network? (1)

bradt (682447) | about a year ago | (#45215631)

I think that you've missed the point here... This isn't about price or performance... The vendor has identified and patched an vulnerability, and have made the patch available in a free update that is easy to install, yet a large number of users haven't installed the update yet. How would this be improved by using an open source solution, which is generally more complicated to administer than an appliance with an embedded OS?

Re:Why would you have this on an open network? (1)

jedidiah (1196) | about a year ago | (#45212423)

Don't some of these devices offer personal "cloud services". They may need to be subject to a certain level of vulnerability in order to be fully functional.

Re:Why would you have this on an open network? (1)

gl4ss (559668) | about a year ago | (#45212923)

yeah.. like streaming videos etc to your phone.

it's shit execution of course on pretty much every box.

Re:Why would you have this on an open network? (1)

medv4380 (1604309) | about a year ago | (#45213171)

Not that simple. Put it behind a firewall that locks it down and a lot of them can't even be setup anymore. My father in law got one, but never really used it so he gave it to me. The device automatically maps though any UPNP Nat device then marries itself to a domain owned by netgear so you can go to something like mystora.com/devicename If you know the devices name and serial number it can easily be rooted remotely as well. The setup instructions require you to use the web domain interface. If you try to go directly to the web interface it normally redirects you to the domain name. Any rational geek would lobotomized these ReadyNAS, and Stora devices so that they don't root their networks. Nice devices based on their hardware, but their "features" are unacceptable.

White hat (3, Funny)

schneidafunk (795759) | about a year ago | (#45212223)

How hard would it be to write a program to find vulnerable boxes and force a patch via the exploit?

Re:White hat (1)

Anonymous Coward | about a year ago | (#45212299)

Probably easier than getting out of jail if you used the program without permission on other people's stuff.

Re:White hat (0)

Anonymous Coward | about a year ago | (#45212775)

Probably easier than getting out of jail if you used the program without permission on other people's stuff.

Not if it were done by the manufacturer. All they would have to do is retroactively update the contract that you never signed when you purchased the product to give themselves that authority, as well as permission to install various other rootkits, and it would all be perfectly legal in the United States. In fact, consumers might risk being placed on certain secret blacklists if they were to make any attempt to prevent the manufacturer from doing so, or publically express any disfavor with such actions. Someone hasn't been paying much attention to how things work these days.

Re:White hat (0)

Anonymous Coward | about a year ago | (#45212301)

How legal would it be to write a program to find vulnerable boxes and force a patch via the exploit?

Re:White hat (2)

Sockatume (732728) | about a year ago | (#45212341)

If they were just consumer products, maybe, but the risks with an unsolicited firmware update on business NAS are large enough that they probably won't want to touch it.

Re:White hat (2)

hawguy (1600213) | about a year ago | (#45212431)

If they were just consumer products, maybe, but the risks with an unsolicited firmware update on business NAS are large enough that they probably won't want to touch it.

Any business that leaves its NAS accessible from the public internet is unlikely to notice an unsolicited firmware update (and just as unlikely to know that it's been hacked and used to serve up malware).

Re:White hat (1)

Sockatume (732728) | about a year ago | (#45212805)

You'd hope so, but I could imagine some company somewhere has a public-facing NAS that stores the only copies of their mission-critical database, which is probably being used by some software which implodes permanently if the database becomes unavailable for more than eight seconds without prior notice.

Re:White hat (1)

NatasRevol (731260) | about a year ago | (#45212869)

Probably not.

"Hey, the db's offline again. Can you reboot the server?"

Re:White hat (1)

Sockatume (732728) | about a year ago | (#45221125)

The kind of company that puts their NAS on the public internet strikes me as the kind whose system probably isn't that well-behaved.

Re:White hat (1)

Thanshin (1188877) | about a year ago | (#45212343)

How hard would it be to write a program to find vulnerable boxes and force a patch via the exploit?

Compared to what? It's significantly easier than testing all one by one to check if they are vulnerable.

It might be harder than transferring a small amount of money to the administrator in exchange for root access. In that scenario, the exploit would serve as an alibi for the admin to switch prison for just being fired, in case the entry was discovered; thus reducing the bribe amount.

Re:White hat (1)

Craig Young (3407421) | about a year ago | (#45220143)

How hard would it be to write a program to find vulnerable boxes and force a patch via the exploit?

From a strictly technical perspective, this particular vulnerability is in fact not hard at all to exploit and deliver a fix. diff: http://pastebin.com/aWCwdnhL [pastebin.com] We didn't actually make such a tool but VERT did discuss the possibility.

Re:White hat (1)

L4t3r4lu5 (1216702) | about a year ago | (#45221703)

What, like Welchia [internetnews.com] ?

Yeah, that went well.

Internet Facing? (0)

Anonymous Coward | about a year ago | (#45212273)

People plug NAS boxes directly into the internet ? - roflmaopmsl....

Plug something into the internet without restricting access and you get what you deserve, any device like this should only be accessible from behind a nice solid firewall or on the end of a VPN link, not directly attached to the internet....

Re:Internet Facing? (1)

alex67500 (1609333) | about a year ago | (#45212941)

The firewall wouldn't change anything. If you want to access the NAS from the internet, you would open ports anyway, and leave accessible to attacks...

Re:Internet Facing? (0)

Anonymous Coward | about a year ago | (#45213463)

The firewall wouldn't change anything. If you want to access the NAS from the internet, you would open ports anyway, and leave accessible to attacks...

The point is you should never, ever, under ANY circumstances, be accessing the NAS directly from outside the local network. If you need to gain access to the files stored on the NAS, you should be setting up some other type of internet-facing system which then sanitizes and communicates directly with the NAT.
Yes, there are still other attack vectors such as compromising a machine on the same network, and it is indeed a serious security issue. But if you have your NAS exposed externally you have a much larger and more serious design issues in addition to the other threats.

For the less technically inclined, it would be like putting a safe with your documents out in your front yard, instead of inside your house. Yes, someone can still break into your house and try cracking the safe, but at least it's not available for any random passerby to take a shot at.

Re:Internet Facing? (1)

Pop69 (700500) | about a year ago | (#45214013)

If you open ports to access a NAS then your incompetent. VPN is the only way to go to access anything on a remote LAN

Re:Internet Facing? (1)

pnutjam (523990) | about a year ago | (#45214117)

or Citrix or SSH or maybe an RDP gateway. All proven secure.

Re:Internet Facing? (0)

Anonymous Coward | about a year ago | (#45214195)

If you want to access the NAS from the internet

then you have already lost.

But no one told me (5, Informative)

Henrik Gullaksen (2878597) | about a year ago | (#45212313)

I have a ReadyNAS Pro 6
But I have not received any message from my NAS that there was a firmware update.
I get an E-Mail from my NAS everytime it runs it scrubbing. But have not received any messages about firmware updates.
I just logged in to my NAS and asked it to check for updates. And there was one.

If they want to get people to update the firmware. Then they should inform people that there is updates.

Re:But no one told me (0)

Anonymous Coward | about a year ago | (#45212389)

If they want to get people to update the firmware. Then they should inform people that there is updates.

I didn't know about any update until now either.

Re:But no one told me (2)

tiberus (258517) | about a year ago | (#45212613)

As much as getting an active notice (e.g. via e-mail) would be great, Netgear did send a passive notice, it just wasn't looked at. Best practice would be to check for updates on a regular (i.e. monthly, or more often depending the inherent level of paranoia) basis. Granted if a ReadyNAS can send notices about scrubbing, or power failure, or disk failure, it should be able to send notices about updates (Never did get why it doesn't).

If something is on the network (computer, server, NAS, application, tablet, cell phone, etc.) some level of active effort should be made to ensure it's patched, updated, mitigated or replaced. If the network gets compromised sadly, Netgear won't feel the pinch.

Re:But no one told me (0)

Anonymous Coward | about a year ago | (#45213195)

Granted if a ReadyNAS can send notices about scrubbing, or power failure, or disk failure, it should be able to send notices about updates (Never did get why it doesn't).

Pro Tip: ReadyNAS RAIDiator is Linux. Write a cron job to wget the RSS feed and send yourself an e-mail. You could even submit it to their user forum and be seen as a hero.

Re:But no one told me (1)

Demonantis (1340557) | about a year ago | (#45216347)

They might be worried of the bandwidth cost of constant update checks. The updates are few and far between. My readynas can't contact the server right now. I am a forum member. Why they didn't send out a email notice that way is beyond me.

Re:But no one told me (0)

Anonymous Coward | about a year ago | (#45213117)

I too am a ReadyNAS owner and while I did not receive an e-mail about the firmware update, I was informed about it through their RSS feed [readynas.com] and applied it months ago.

This isn't hard folks. Systems with embedded operating systems can contains bugs, and you really should do a minimum of work to keep yourself informed of any updates.

Re:But no one told me (1)

Craig Young (3407421) | about a year ago | (#45220157)

Amen.

Internet-facing? (0)

Anonymous Coward | about a year ago | (#45212371)

Who in the heck puts a NAS box directly on the Internet? Holy cow.

Users slow to install security patches... (1)

JeffOwl (2858633) | about a year ago | (#45212427)

Obvious. This isn't news.

Re:Users slow to install security patches... (1)

GameboyRMH (1153867) | about a year ago | (#45212757)

D'oh, beaten.

Re:Users slow to install security patches... (0)

Anonymous Coward | about a year ago | (#45214031)

D'oh, beaten.

What's you excuse? And don't say you were busy updating, cause we know that's not true.

Are consumer ReadyNAS products vulnerable too? (2)

mrchaotica (681592) | about a year ago | (#45212437)

If things like the ReadyNAS Duo or NV+ are vulnerable that's an even bigger problem, because they're even less likely to be patched than the models used by businesses.

Re:Are consumer ReadyNAS products vulnerable too? (2)

greg1104 (461138) | about a year ago | (#45213075)

The vulnerable ones are the ReadyNAS x86 based [readynas.com] models that currently are running firmware with version numbers like 4.2.X. Things like the ReadyNAS Duo are either ARM based [readynas.com] with versions 5.3.X, or SPARC based [readynas.com] with versions like 4.1.X. The buggy feature here looks like it's only on the more expensive models.

Re:Are consumer ReadyNAS products vulnerable too? (1)

advid.net (595837) | about a year ago | (#45213253)

Thank you for your post, I have the old sparc based NAS and started to wonder if I need to patch.

(however I still have emails to remind me to install the lastest firmware 4.1.12 for sparc based NAS - security issues and DLNA features.)

Re:Are consumer ReadyNAS products vulnerable too? (1)

Craig Young (3407421) | about a year ago | (#45220281)

FYI - 4.1.12 : http://www.readynas.com/?p=6999 [readynas.com] "Updated Frontview to fix security issues."

Re:Are consumer ReadyNAS products vulnerable too? (1)

Craig Young (3407421) | about a year ago | (#45220267)

NETGEAR updated both the SPARC and x86 based ReadyNAS firmware lines to address the vulnerability. (i.e. 4.1.12 and 4.2.24) The models listed with the firmware updates are as follows: ReadyNAS NV+ v1, ReadyNAS Duo v1, ReadyNAS 1100, ReadyNAS 1500, ReadyNAS 2100, ReadyNAS 3100, ReadyNAS 3200, ReadyNAS 4200, ReadyNAS Ultra 2/Plus, ReadyNAS Ultra 4/Plus, ReadyNAS Ultra 6/Plus, ReadyNAS Pro 2, ReadyNAS Pro 4, ReadyNAS Pro 6, ReadyNAS Pro Business Edition, ReadyNAS Pro Pioneer Edition, ReadyNAS NVX, ReadyNAS NVX Pioneer Edition

Re:Are consumer ReadyNAS products vulnerable too? (1)

mrchaotica (681592) | about a year ago | (#45222507)

So are ARM-based ones (e.g. ReadyNAS Duo v2) not yet patched, or just not vulnerable to begin with?

Re:Are consumer ReadyNAS products vulnerable too? (1)

Craig Young (3407421) | about a year ago | (#45252079)

Don't expose frontview on any ReadyNAS to an untrusted network.

Outside facing boxen (1)

Larry_Dillon (20347) | about a year ago | (#45212947)

Where at the point where all outside facing devices need a mechanism for automatic updates, or at least automatic notification of updates.

I imagine that most of the ReadyNSA users have no idea they are vulnerable.

Re:Outside facing boxen (2)

mrchaotica (681592) | about a year ago | (#45213667)

ReadyNSA

Nice Freudian slip there...

"Internet-facing" NAS (1)

nuckfuts (690967) | about a year ago | (#45214755)

(Shudder)

Netgear's recent incompetence (1)

crath (80215) | about a year ago | (#45216837)

I'm a ReadyNAS owner. I have ignored recent firmware updates from Netgear simply because they have become incompetent at releasing firmware that actually functions. I keep my ReadyNAS far away from the Internet, and so my level of risk is low; as well, I have stopped upgrading: Netgear's release quality is simply too poor to allow me to risk the upgrade.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?