Buggy Software in Popular Connected Storage Drives Can Let Hackers Read Private Data

Security researchers have found flaws in four popular connected storage drives that they say could let hackers access a user's private and sensitive data. From a report: The researchers Paulos Yibelo and Daniel Eshetu said the software running on three of the devices they tested -- NetGear Stora, Seagate Home and Medion LifeCloud -- can allow an attacker to remotely read, change and delete data without requiring a password. Yibelo, who shared the research with TechCrunch this week and posted the findings Friday, said that many other devices may be at risk.

The software, Hipserv, built by tech company Axentra, was largely to blame for three of the four flaws they found. Hipserv is Linux-based, and uses several web technologies -- including PHP -- to power the web interface. But the researchers found that bugs could let them read files on the drive without any authentication. It also meant they could run any command they wanted as "root" -- the built-in user account with the highest level of access -- making the data on the device vulnerable to prying eyes or destruction.

Really?

[110010001000]

You mean cheap software written in PHP is insecure?

Re:Really?

[UnknownSoldier]

Well PHP does stand for PHucked uP =P

/me ducks

(Lighten up, it was a joke)

Axentra -- WTF?

[hduff]

So it seems like it's up to Axentra to fix their poorly coded Piece Of Shit? But do they really even care?

This kind of sloppy programming needs to come with easy-to-litigate civil remedie$ and then maybe it will stop.

Re:Axentra -- WTF?

[grep+-v+'.*'+*]

and then maybe it will stop.

Naaaaa -- don't you know, it's like the CLOUD baby, where everything goes and you push responsibility as far as you can and then right out the window. There's NO problems at all that an online contract or ROM update won't fix. And of course with surface mount chips, unfixable hardware, and no one ever reading the legals, they'll have to buy your *next* product with it's OWN new problems.

Planned Obsolescence? That's so 1990s. Now they need to pay you for your new product while the old one's still working! It's a joy to behold! Catch up with the times already baby; the Good Times are Here!

Re:Axentra -- WTF?

[RockDoctor]

This kind of sloppy programming needs to come with easy-to-litigate civil remedie$ and then maybe it will stop.Didn't you read the fucking software agreement before using it? The bit that disclaimed it's fitness for any particular purpose, and limited all liability to the sale value of the software. At least, that's how I read typical EULAs.

Re:Blah

[HarrySquatter]

Well at least the hackers aren't turning them into bombs.

https://media-wired-com.cdn.am...

"root"?

[mckwant]

Somebody felt the need to explain the notion of the root user? On /.?

Goodness.

Re:"root"?

[HarrySquatter]

The part explaining root was just a quote from the original article.

Re: "root"?

[jd]

Well, the better users have the issue of LJ that describes how to remove root from Linux. That, together with cgroups, means some are forgetting about such archaic notions.

Re: Blah

[jd]

You say that, but to what extent is it true?

Let's take the hypothetical scenario - you've an A1+ OB-rated computer with hardware-enforced memory segmentation and memory security labelling, and network security labelling. There's no root and everything is by mandatory access control.

Let's say the firewall has been set to block all incoming connections.

The computer is online, but in what sense is all of it online? How do you propose to hack the hard drive of such a machine?

The problem with simplistic descriptions is that they lead to naive optimism or naive conservatism.

Re: This Just IN

[jd]

What if it's a house on top of K2, with the entrance on the roof reachable only by a deadly maze?

I'd have thought you could leave the front door wide open.

Re:Fuck it, I'm blaming the victims here

[ole_timer]

+1

Re: Fuck it, I'm blaming the victims here

[jd]

I would imagine an Internet-connected router could be handy. NAS and SAN drives are, by their nature, capable of being on the Internet.

However, anyone buying a networked appliance should be a fully-qualified firewall admin, and the cloud should really be evaporated.

Re:Fuck it, I'm blaming the victims here

[ctilsie242]

There are some quality devices. Synology and QNAP NAS models have solid security, and if you need to add stuff like fail2ban, borg backup, gpg, or other items, that is easily accomplished.

You can have a NAS that is secure enough to sit on a public IP space (not sure why you want to), and be resistant to attack, provided you limit the IP space, enable 2FA, SSH RSA keys, and keep good backups.

Secure NAS products are out there... it is just that some companies just don't seem to care enough about making a securable device.

What is this "Root"

[Highdude702]

Why would anybody ever have a hard coded admin account?!? That is unbelievable. That is why Linux sucks so bad it has hard coded backdoor accounts! I'm so glad I use BeOS, I don't have to worry about hackers!

CVE-2018-18471 and CVE-2018-18472 not at MITRE.ORG

[Swave+An+deBwoner]

From the "Wizcase" article:

Both the vulnerabilities (dubbed CVE-2018-18472 and CVE-2018-18471) remain unpatched at the time of this publication.

But CVE-2018-18471 and CVE-2018-18472 are not listed at mitre.org or the NIST database:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18471
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18472

Re:Blah

[omnichad]

This is basically a single-drive NAS that has a way to log in and access your files when away from home. Sort of like Dropbox in a way, but with apparently terrible security.

Re: Blah

[jd]

No reason why it would cost that, but blanket statements don't come with an implicit upper bound. If you want claim "for all", you'd best either state range or be damn sure I can't provide an existence proof for an exception.

Re: Blah

[jd]

Won't work.

First, the firewall is set to block all incoming connections. Makes it impossible to break into, since you can't connect to it.

Second, security labeling means even if you got into the firewall, the firewall can't generate any packets the machine would accept.

Third, because incoming connections are blocked, there are no credentials to intercept.

It doesn't matter what you can get around, it matters only if there's a vector that runs from where you start to where you want to end. No complete path, no luck. No matter what you can work around.

You don't know if your frameworks are secure? You've never looked at, oh, validating the code? Give you some suggestions.

First, look up CERT Secure Programming. Then look up NASA's Power of Ten. If you're using interacting threads, learn about Pi calculus. Splint is not terribly good, better static checkers are out there - some built into LLVM. You won't use all of these, but that's unimportant.

If you code is:
1) Easy to read
2) Free of defective underlying functions
3) Free of known standard coding errors
4) An implementation of a validated state machine
5) Properly tested at unit and integrated levels
6) Tested against linguistic anomalies (such as injectable escape codes and terminators)

Then you can be confident that the defect density is very low indeed. If you choose not to be, that's your problem.

If you want to increase confidence further, you want to make sure:
A) Test harnesses are developed prior to implementation
B) Additional theorems are developed about how the code operates
C) Everything is properly encapsulated and isolated under minimum privilege doctrine
D) One module does one thing and does it well (UNIX doctrine)

The point of C is that even if a bug exists, it simply doesn't matter. Either it can't be reached or you can't get anywhere from it. You cannot prove a program 100% correct, but you don't have to. You only have to prove that any remaining defects are disjoint.