Users Slow to Update Netgear ReadyNAS Boxes Open To Remote Exploit

← Back to Stories (view on slashdot.org)

Users Slow to Update Netgear ReadyNAS Boxes Open To Remote Exploit

Posted by Unknown on Wednesday October 23, 2013 @02:19AM from the laziness-begat-data-theft dept.

Trailrunner7 writes with this bit of news from Threatpost "A popular NETGEAR network-attached storage product used primarily in medium-sized organizations has a gaping vulnerability that puts any data moving through a network in jeopardy. The flaw in ReadyNAS, specifically its Frontview front end, was patched via a firmware update three months ago. But according to Tripwire researcher Craig Young who discovered the issue and reported it to NETGEAR, only a fraction of Internet-facing boxes have been patched. An attacker exploiting the vulnerability could gain root access to the box. 'There's a lot of room for people to get burned on this,' Young told Threatpost. 'I felt it is important to get the message out to people that if you're running the RAIDiator firmware (prior to the current version) it's easy to attack the system. As we've found with Microsoft patches, people reverse-engineer patches to find vulnerabilities. This is the type of thing that anyone could trivially compare this firmware to the previous and see in an instant where the vulnerability is.'"

53 comments

Min score:

Reason:

Sort:

Why would you have this on an open network? by Anonymous Coward · 2013-10-23 02:37 · Score: 2, Insightful

Why is this network-attached storage device not behind a firewall? Seems kind of like you're asking for it. But then again, I've been seeing a lot of big businesses neglecting their firewall, buying into the cloud service, and then they wonder what happened.
1. Re:Why would you have this on an open network? by Sockatume · 2013-10-23 02:53 · Score: 1
  
  Probably for the same reason they're not patched: disinterested deployment.
  
  --
  No kidding!!! What do you say at this point?
2. Re:Why would you have this on an open network? by jedidiah · 2013-10-23 02:58 · Score: 1
  
  Don't some of these devices offer personal "cloud services". They may need to be subject to a certain level of vulnerability in order to be fully functional.
  
  --
  A Pirate and a Puritan look the same on a balance sheet.
3. Re:Why would you have this on an open network? by gl4ss · 2013-10-23 03:39 · Score: 1
  
  yeah.. like streaming videos etc to your phone.
  it's shit execution of course on pretty much every box.
  
  --
  world was created 5 seconds before this post as it is.
4. Re:Why would you have this on an open network? by medv4380 · 2013-10-23 04:04 · Score: 1
  
  Not that simple. Put it behind a firewall that locks it down and a lot of them can't even be setup anymore. My father in law got one, but never really used it so he gave it to me. The device automatically maps though any UPNP Nat device then marries itself to a domain owned by netgear so you can go to something like mystora.com/devicename If you know the devices name and serial number it can easily be rooted remotely as well. The setup instructions require you to use the web domain interface. If you try to go directly to the web interface it normally redirects you to the domain name. Any rational geek would lobotomized these ReadyNAS, and Stora devices so that they don't root their networks. Nice devices based on their hardware, but their "features" are unacceptable.
5. Re:Why would you have this on an open network? by slaker · 2013-10-23 04:05 · Score: 1
  
  I re-sell NAS systems based on the idea that no on in an SMB setting is interested or even capable of dealing with a fully functional file server. To the folks in the office, the NAS is just "The network drive", while the guy who set it up probably isn't going to give it another thought until he hears that it's not working AND someone is offering to pay to get it fixed.
  I also see a lot of NAS systems deployed as workarounds for dealing with slow IT staff response times, often because a manager someplace doesn't understand why it's so much of a hassle for a storage admin someplace to allocate 6TB of space than it is to buy a low end Drobo and some crappy desktop drives. Staff IT might not even be aware that the boxes are out there.
  Being able to be disinterested is in fact part of the sales pitch for a NAS in the first place.
  
  --
  -- I wanna decide who lives and who dies - Crow T. Robot, MST3K
6. Re:Why would you have this on an open network? by pnutjam · 2013-10-23 05:22 · Score: 1
  
  I generally talk people out of NAS's and deploy Linux or BSD boxes that operate as SMB share. I sometimes use prepackaged NAS distributions, but using your own hardware instead of the underpowered OEM NAS hardware.
  
  I think NAS's are in the same category as SOHO routers. They suck and you should go straight to an Open Source software package on your own hardware for about the same cost.
  
  --
  Cheap storage VM.
7. Re:Why would you have this on an open network? by slaker · 2013-10-23 05:41 · Score: 1
  
  You're not going to build a 5W ARM system with two or four hot-swap SATA drive bays in a decent enclosure with a decent transformer using new parts for less than what baby Synology NAS costs. I'm fully capable of assembling that sort of system but I can't do it cheaper, especially not if my time has value.
  
  --
  -- I wanna decide who lives and who dies - Crow T. Robot, MST3K
8. Re: Why would you have this on an open network? by bradt · 2013-10-23 07:05 · Score: 1
  
  I think that you've missed the point here... This isn't about price or performance... The vendor has identified and patched an vulnerability, and have made the patch available in a free update that is easy to install, yet a large number of users haven't installed the update yet. How would this be improved by using an open source solution, which is generally more complicated to administer than an appliance with an embedded OS?
Re:Happy Tuesday from The Golden Girls! by Anonymous Coward · 2013-10-23 02:37 · Score: 0

Wednesday?
White hat by schneidafunk · 2013-10-23 02:40 · Score: 3, Funny

How hard would it be to write a program to find vulnerable boxes and force a patch via the exploit?

--
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
1. Re:White hat by Anonymous Coward · 2013-10-23 02:49 · Score: 1
  
  Probably easier than getting out of jail if you used the program without permission on other people's stuff.
2. Re:White hat by Anonymous Coward · 2013-10-23 02:49 · Score: 0
  
  How legal would it be to write a program to find vulnerable boxes and force a patch via the exploit?
3. Re:White hat by Sockatume · 2013-10-23 02:52 · Score: 2
  
  If they were just consumer products, maybe, but the risks with an unsolicited firmware update on business NAS are large enough that they probably won't want to touch it.
  
  --
  No kidding!!! What do you say at this point?
4. Re:White hat by Thanshin · 2013-10-23 02:52 · Score: 1
  
  How hard would it be to write a program to find vulnerable boxes and force a patch via the exploit?
  Compared to what? It's significantly easier than testing all one by one to check if they are vulnerable.
  It might be harder than transferring a small amount of money to the administrator in exchange for root access. In that scenario, the exploit would serve as an alibi for the admin to switch prison for just being fired, in case the entry was discovered; thus reducing the bribe amount.
5. Re:White hat by hawguy · 2013-10-23 02:59 · Score: 2
  
  If they were just consumer products, maybe, but the risks with an unsolicited firmware update on business NAS are large enough that they probably won't want to touch it.
  Any business that leaves its NAS accessible from the public internet is unlikely to notice an unsolicited firmware update (and just as unlikely to know that it's been hacked and used to serve up malware).
6. Re:White hat by Anonymous Coward · 2013-10-23 03:29 · Score: 0
  
  Probably easier than getting out of jail if you used the program without permission on other people's stuff.
  Not if it were done by the manufacturer. All they would have to do is retroactively update the contract that you never signed when you purchased the product to give themselves that authority, as well as permission to install various other rootkits, and it would all be perfectly legal in the United States. In fact, consumers might risk being placed on certain secret blacklists if they were to make any attempt to prevent the manufacturer from doing so, or publically express any disfavor with such actions. Someone hasn't been paying much attention to how things work these days.
7. Re:White hat by Sockatume · 2013-10-23 03:31 · Score: 1
  
  You'd hope so, but I could imagine some company somewhere has a public-facing NAS that stores the only copies of their mission-critical database, which is probably being used by some software which implodes permanently if the database becomes unavailable for more than eight seconds without prior notice.
  
  --
  No kidding!!! What do you say at this point?
8. Re:White hat by NatasRevol · 2013-10-23 03:36 · Score: 1
  
  Probably not.
  "Hey, the db's offline again. Can you reboot the server?"
  
  --
  There are two types of people in the world: Those who crave closure
9. Re:White hat by vuln-report · 2013-10-23 15:05 · Score: 1
  
  How hard would it be to write a program to find vulnerable boxes and force a patch via the exploit?
  From a strictly technical perspective, this particular vulnerability is in fact not hard at all to exploit and deliver a fix. diff: http://pastebin.com/aWCwdnhL We didn't actually make such a tool but VERT did discuss the possibility.
10. Re:White hat by Sockatume · 2013-10-23 20:00 · Score: 1
  
  The kind of company that puts their NAS on the public internet strikes me as the kind whose system probably isn't that well-behaved.
  
  --
  No kidding!!! What do you say at this point?
11. Re:White hat by L4t3r4lu5 · 2013-10-23 23:09 · Score: 1
  
  What, like Welchia?
  
  Yeah, that went well.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
Internet Facing? by Anonymous Coward · 2013-10-23 02:45 · Score: 0

People plug NAS boxes directly into the internet ? - roflmaopmsl....
Plug something into the internet without restricting access and you get what you deserve, any device like this should only be accessible from behind a nice solid firewall or on the end of a VPN link, not directly attached to the internet....
1. Re:Internet Facing? by alex67500 · 2013-10-23 03:42 · Score: 1
  
  The firewall wouldn't change anything. If you want to access the NAS from the internet, you would open ports anyway, and leave accessible to attacks...
2. Re:Internet Facing? by Anonymous Coward · 2013-10-23 04:27 · Score: 0
  
  The firewall wouldn't change anything. If you want to access the NAS from the internet, you would open ports anyway, and leave accessible to attacks...
  The point is you should never, ever, under ANY circumstances, be accessing the NAS directly from outside the local network. If you need to gain access to the files stored on the NAS, you should be setting up some other type of internet-facing system which then sanitizes and communicates directly with the NAT.
  Yes, there are still other attack vectors such as compromising a machine on the same network, and it is indeed a serious security issue. But if you have your NAS exposed externally you have a much larger and more serious design issues in addition to the other threats.
  For the less technically inclined, it would be like putting a safe with your documents out in your front yard, instead of inside your house. Yes, someone can still break into your house and try cracking the safe, but at least it's not available for any random passerby to take a shot at.
3. Re:Internet Facing? by Pop69 · 2013-10-23 05:16 · Score: 1
  
  If you open ports to access a NAS then your incompetent. VPN is the only way to go to access anything on a remote LAN
4. Re:Internet Facing? by pnutjam · 2013-10-23 05:25 · Score: 1
  
  or Citrix or SSH or maybe an RDP gateway. All proven secure.
  
  --
  Cheap storage VM.
5. Re:Internet Facing? by Anonymous Coward · 2013-10-23 05:30 · Score: 0
  
  If you want to access the NAS from the internet
  then you have already lost.
But no one told me by fateblossom · 2013-10-23 02:50 · Score: 5, Informative

I have a ReadyNAS Pro 6
But I have not received any message from my NAS that there was a firmware update.
I get an E-Mail from my NAS everytime it runs it scrubbing. But have not received any messages about firmware updates.
I just logged in to my NAS and asked it to check for updates. And there was one.
If they want to get people to update the firmware. Then they should inform people that there is updates.
1. Re:But no one told me by Anonymous Coward · 2013-10-23 02:56 · Score: 0
  
  If they want to get people to update the firmware. Then they should inform people that there is updates.
  I didn't know about any update until now either.
2. Re:But no one told me by tiberus · 2013-10-23 03:14 · Score: 2
  
  As much as getting an active notice (e.g. via e-mail) would be great, Netgear did send a passive notice, it just wasn't looked at. Best practice would be to check for updates on a regular (i.e. monthly, or more often depending the inherent level of paranoia) basis. Granted if a ReadyNAS can send notices about scrubbing, or power failure, or disk failure, it should be able to send notices about updates (Never did get why it doesn't).
  If something is on the network (computer, server, NAS, application, tablet, cell phone, etc.) some level of active effort should be made to ensure it's patched, updated, mitigated or replaced. If the network gets compromised sadly, Netgear won't feel the pinch.
3. Re:But no one told me by Anonymous Coward · 2013-10-23 04:00 · Score: 0
  
  I too am a ReadyNAS owner and while I did not receive an e-mail about the firmware update, I was informed about it through their RSS feed and applied it months ago.
  This isn't hard folks. Systems with embedded operating systems can contains bugs, and you really should do a minimum of work to keep yourself informed of any updates.
4. Re:But no one told me by Anonymous Coward · 2013-10-23 04:05 · Score: 0
  
  Granted if a ReadyNAS can send notices about scrubbing, or power failure, or disk failure, it should be able to send notices about updates (Never did get why it doesn't).
  Pro Tip: ReadyNAS RAIDiator is Linux. Write a cron job to wget the RSS feed and send yourself an e-mail. You could even submit it to their user forum and be seen as a hero.
5. Re:But no one told me by Demonantis · 2013-10-23 07:53 · Score: 1
  
  They might be worried of the bandwidth cost of constant update checks. The updates are few and far between. My readynas can't contact the server right now. I am a forum member. Why they didn't send out a email notice that way is beyond me.
6. Re:But no one told me by vuln-report · 2013-10-23 15:08 · Score: 1
  
  Amen.
Re:Happy Tuesday from The Golden Girls! by Anonymous Coward · 2013-10-23 02:51 · Score: 0

A rare miss!
Internet-facing? by Anonymous Coward · 2013-10-23 02:54 · Score: 0

Who in the heck puts a NAS box directly on the Internet? Holy cow.
Users slow to install security patches... by JeffOwl · 2013-10-23 02:59 · Score: 1

Obvious. This isn't news.
1. Re:Users slow to install security patches... by GameboyRMH · 2013-10-23 03:27 · Score: 1
  
  D'oh, beaten.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
2. Re:Users slow to install security patches... by Anonymous Coward · 2013-10-23 05:18 · Score: 0
  
  D'oh, beaten.
  What's you excuse? And don't say you were busy updating, cause we know that's not true.
Are consumer ReadyNAS products vulnerable too? by mrchaotica · 2013-10-23 02:59 · Score: 2

If things like the ReadyNAS Duo or NV+ are vulnerable that's an even bigger problem, because they're even less likely to be patched than the models used by businesses.

--
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
1. Re:Are consumer ReadyNAS products vulnerable too? by greg1104 · 2013-10-23 03:55 · Score: 2
  
  The vulnerable ones are the ReadyNAS x86 based models that currently are running firmware with version numbers like 4.2.X. Things like the ReadyNAS Duo are either ARM based with versions 5.3.X, or SPARC based with versions like 4.1.X. The buggy feature here looks like it's only on the more expensive models.
2. Re:Are consumer ReadyNAS products vulnerable too? by advid.net · 2013-10-23 04:12 · Score: 1
  
  Thank you for your post, I have the old sparc based NAS and started to wonder if I need to patch.
  (however I still have emails to remind me to install the lastest firmware 4.1.12 for sparc based NAS - security issues and DLNA features.)
3. Re:Are consumer ReadyNAS products vulnerable too? by vuln-report · 2013-10-23 15:28 · Score: 1
  
  NETGEAR updated both the SPARC and x86 based ReadyNAS firmware lines to address the vulnerability. (i.e. 4.1.12 and 4.2.24) The models listed with the firmware updates are as follows: ReadyNAS NV+ v1, ReadyNAS Duo v1, ReadyNAS 1100, ReadyNAS 1500, ReadyNAS 2100, ReadyNAS 3100, ReadyNAS 3200, ReadyNAS 4200, ReadyNAS Ultra 2/Plus, ReadyNAS Ultra 4/Plus, ReadyNAS Ultra 6/Plus, ReadyNAS Pro 2, ReadyNAS Pro 4, ReadyNAS Pro 6, ReadyNAS Pro Business Edition, ReadyNAS Pro Pioneer Edition, ReadyNAS NVX, ReadyNAS NVX Pioneer Edition
4. Re:Are consumer ReadyNAS products vulnerable too? by vuln-report · 2013-10-23 15:30 · Score: 1
  
  FYI - 4.1.12 : http://www.readynas.com/?p=6999 "Updated Frontview to fix security issues."
5. Re:Are consumer ReadyNAS products vulnerable too? by mrchaotica · 2013-10-24 01:33 · Score: 1
  
  So are ARM-based ones (e.g. ReadyNAS Duo v2) not yet patched, or just not vulnerable to begin with?
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
6. Re:Are consumer ReadyNAS products vulnerable too? by vuln-report · 2013-10-27 05:35 · Score: 1
  
  Don't expose frontview on any ReadyNAS to an untrusted network.
Re:Happy Tuesday from The Golden Girls! by NatasRevol · 2013-10-23 03:35 · Score: 1

I always wanted to be a cosmonaut.

--
There are two types of people in the world: Those who crave closure
Outside facing boxen by Larry_Dillon · 2013-10-23 03:43 · Score: 1

Where at the point where all outside facing devices need a mechanism for automatic updates, or at least automatic notification of updates.
I imagine that most of the ReadyNSA users have no idea they are vulnerable.

--
Competition Good, Monopoly Bad.
1. Re:Outside facing boxen by mrchaotica · 2013-10-23 04:44 · Score: 2
  
  ReadyNSA
  
  Nice Freudian slip there...
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
"Internet-facing" NAS by nuckfuts · 2013-10-23 06:10 · Score: 1

(Shudder)
Netgear's recent incompetence by crath · 2013-10-23 08:28 · Score: 1

I'm a ReadyNAS owner. I have ignored recent firmware updates from Netgear simply because they have become incompetent at releasing firmware that actually functions. I keep my ReadyNAS far away from the Internet, and so my level of risk is low; as well, I have stopped upgrading: Netgear's release quality is simply too poor to allow me to risk the upgrade.