Users Slow to Update Netgear ReadyNAS Boxes Open To Remote Exploit

Trailrunner7 writes with this bit of news from Threatpost "A popular NETGEAR network-attached storage product used primarily in medium-sized organizations has a gaping vulnerability that puts any data moving through a network in jeopardy. The flaw in ReadyNAS, specifically its Frontview front end, was patched via a firmware update three months ago. But according to Tripwire researcher Craig Young who discovered the issue and reported it to NETGEAR, only a fraction of Internet-facing boxes have been patched. An attacker exploiting the vulnerability could gain root access to the box. 'There's a lot of room for people to get burned on this,' Young told Threatpost. 'I felt it is important to get the message out to people that if you're running the RAIDiator firmware (prior to the current version) it's easy to attack the system. As we've found with Microsoft patches, people reverse-engineer patches to find vulnerabilities. This is the type of thing that anyone could trivially compare this firmware to the previous and see in an instant where the vulnerability is.'"

Why would you have this on an open network?

Why is this network-attached storage device not behind a firewall? Seems kind of like you're asking for it. But then again, I've been seeing a lot of big businesses neglecting their firewall, buying into the cloud service, and then they wonder what happened.

White hat

[schneidafunk]

How hard would it be to write a program to find vulnerable boxes and force a patch via the exploit?

Re:White hat

[Sockatume]

If they were just consumer products, maybe, but the risks with an unsolicited firmware update on business NAS are large enough that they probably won't want to touch it.

Re:White hat

[hawguy]

If they were just consumer products, maybe, but the risks with an unsolicited firmware update on business NAS are large enough that they probably won't want to touch it.

Any business that leaves its NAS accessible from the public internet is unlikely to notice an unsolicited firmware update (and just as unlikely to know that it's been hacked and used to serve up malware).

But no one told me

[fateblossom]

I have a ReadyNAS Pro 6
But I have not received any message from my NAS that there was a firmware update.
I get an E-Mail from my NAS everytime it runs it scrubbing. But have not received any messages about firmware updates.
I just logged in to my NAS and asked it to check for updates. And there was one.

If they want to get people to update the firmware. Then they should inform people that there is updates.

Re:But no one told me

[tiberus]

As much as getting an active notice (e.g. via e-mail) would be great, Netgear did send a passive notice, it just wasn't looked at. Best practice would be to check for updates on a regular (i.e. monthly, or more often depending the inherent level of paranoia) basis. Granted if a ReadyNAS can send notices about scrubbing, or power failure, or disk failure, it should be able to send notices about updates (Never did get why it doesn't).

If something is on the network (computer, server, NAS, application, tablet, cell phone, etc.) some level of active effort should be made to ensure it's patched, updated, mitigated or replaced. If the network gets compromised sadly, Netgear won't feel the pinch.

Are consumer ReadyNAS products vulnerable too?

[mrchaotica]

If things like the ReadyNAS Duo or NV+ are vulnerable that's an even bigger problem, because they're even less likely to be patched than the models used by businesses.

Re:Are consumer ReadyNAS products vulnerable too?

[greg1104]

The vulnerable ones are the ReadyNAS x86 based models that currently are running firmware with version numbers like 4.2.X. Things like the ReadyNAS Duo are either ARM based with versions 5.3.X, or SPARC based with versions like 4.1.X. The buggy feature here looks like it's only on the more expensive models.

Re:Outside facing boxen

[mrchaotica]

ReadyNSA

Nice Freudian slip there...