Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Software Security Upgrades

Users Slow to Update Netgear ReadyNAS Boxes Open To Remote Exploit 53

Posted by Unknown Lamer
from the laziness-begat-data-theft dept.
Trailrunner7 writes with this bit of news from Threatpost "A popular NETGEAR network-attached storage product used primarily in medium-sized organizations has a gaping vulnerability that puts any data moving through a network in jeopardy. The flaw in ReadyNAS, specifically its Frontview front end, was patched via a firmware update three months ago. But according to Tripwire researcher Craig Young who discovered the issue and reported it to NETGEAR, only a fraction of Internet-facing boxes have been patched. An attacker exploiting the vulnerability could gain root access to the box. 'There's a lot of room for people to get burned on this,' Young told Threatpost. 'I felt it is important to get the message out to people that if you're running the RAIDiator firmware (prior to the current version) it's easy to attack the system. As we've found with Microsoft patches, people reverse-engineer patches to find vulnerabilities. This is the type of thing that anyone could trivially compare this firmware to the previous and see in an instant where the vulnerability is.'"
This discussion has been archived. No new comments can be posted.

Users Slow to Update Netgear ReadyNAS Boxes Open To Remote Exploit

Comments Filter:
  • by Anonymous Coward

    Why is this network-attached storage device not behind a firewall? Seems kind of like you're asking for it. But then again, I've been seeing a lot of big businesses neglecting their firewall, buying into the cloud service, and then they wonder what happened.

    • by Sockatume (732728)

      Probably for the same reason they're not patched: disinterested deployment.

      • by slaker (53818)

        I re-sell NAS systems based on the idea that no on in an SMB setting is interested or even capable of dealing with a fully functional file server. To the folks in the office, the NAS is just "The network drive", while the guy who set it up probably isn't going to give it another thought until he hears that it's not working AND someone is offering to pay to get it fixed.

        I also see a lot of NAS systems deployed as workarounds for dealing with slow IT staff response times, often because a manager someplace doe

        • by pnutjam (523990)
          I generally talk people out of NAS's and deploy Linux or BSD boxes that operate as SMB share. I sometimes use prepackaged NAS distributions, but using your own hardware instead of the underpowered OEM NAS hardware.

          I think NAS's are in the same category as SOHO routers. They suck and you should go straight to an Open Source software package on your own hardware for about the same cost.
          • by slaker (53818)

            You're not going to build a 5W ARM system with two or four hot-swap SATA drive bays in a decent enclosure with a decent transformer using new parts for less than what baby Synology NAS costs. I'm fully capable of assembling that sort of system but I can't do it cheaper, especially not if my time has value.

          • I think that you've missed the point here... This isn't about price or performance... The vendor has identified and patched an vulnerability, and have made the patch available in a free update that is easy to install, yet a large number of users haven't installed the update yet. How would this be improved by using an open source solution, which is generally more complicated to administer than an appliance with an embedded OS?
    • by jedidiah (1196)

      Don't some of these devices offer personal "cloud services". They may need to be subject to a certain level of vulnerability in order to be fully functional.

      • by gl4ss (559668)

        yeah.. like streaming videos etc to your phone.

        it's shit execution of course on pretty much every box.

    • by medv4380 (1604309)
      Not that simple. Put it behind a firewall that locks it down and a lot of them can't even be setup anymore. My father in law got one, but never really used it so he gave it to me. The device automatically maps though any UPNP Nat device then marries itself to a domain owned by netgear so you can go to something like mystora.com/devicename If you know the devices name and serial number it can easily be rooted remotely as well. The setup instructions require you to use the web domain interface. If you try to
  • by schneidafunk (795759) on Wednesday October 23, 2013 @09:40AM (#45212223)

    How hard would it be to write a program to find vulnerable boxes and force a patch via the exploit?

    • by Anonymous Coward

      Probably easier than getting out of jail if you used the program without permission on other people's stuff.

    • by Sockatume (732728)

      If they were just consumer products, maybe, but the risks with an unsolicited firmware update on business NAS are large enough that they probably won't want to touch it.

      • by hawguy (1600213)

        If they were just consumer products, maybe, but the risks with an unsolicited firmware update on business NAS are large enough that they probably won't want to touch it.

        Any business that leaves its NAS accessible from the public internet is unlikely to notice an unsolicited firmware update (and just as unlikely to know that it's been hacked and used to serve up malware).

        • by Sockatume (732728)

          You'd hope so, but I could imagine some company somewhere has a public-facing NAS that stores the only copies of their mission-critical database, which is probably being used by some software which implodes permanently if the database becomes unavailable for more than eight seconds without prior notice.

          • Probably not.

            "Hey, the db's offline again. Can you reboot the server?"

            • by Sockatume (732728)

              The kind of company that puts their NAS on the public internet strikes me as the kind whose system probably isn't that well-behaved.

    • by Thanshin (1188877)

      How hard would it be to write a program to find vulnerable boxes and force a patch via the exploit?

      Compared to what? It's significantly easier than testing all one by one to check if they are vulnerable.

      It might be harder than transferring a small amount of money to the administrator in exchange for root access. In that scenario, the exploit would serve as an alibi for the admin to switch prison for just being fired, in case the entry was discovered; thus reducing the bribe amount.

    • How hard would it be to write a program to find vulnerable boxes and force a patch via the exploit?

      From a strictly technical perspective, this particular vulnerability is in fact not hard at all to exploit and deliver a fix. diff: http://pastebin.com/aWCwdnhL [pastebin.com] We didn't actually make such a tool but VERT did discuss the possibility.

    • What, like Welchia [internetnews.com]?

      Yeah, that went well.
  • But no one told me (Score:5, Informative)

    by Henrik Gullaksen (2878597) on Wednesday October 23, 2013 @09:50AM (#45212313)

    I have a ReadyNAS Pro 6
    But I have not received any message from my NAS that there was a firmware update.
    I get an E-Mail from my NAS everytime it runs it scrubbing. But have not received any messages about firmware updates.
    I just logged in to my NAS and asked it to check for updates. And there was one.

    If they want to get people to update the firmware. Then they should inform people that there is updates.

    • by tiberus (258517)

      As much as getting an active notice (e.g. via e-mail) would be great, Netgear did send a passive notice, it just wasn't looked at. Best practice would be to check for updates on a regular (i.e. monthly, or more often depending the inherent level of paranoia) basis. Granted if a ReadyNAS can send notices about scrubbing, or power failure, or disk failure, it should be able to send notices about updates (Never did get why it doesn't).

      If something is on the network (computer, server, NAS, application, tablet

      • They might be worried of the bandwidth cost of constant update checks. The updates are few and far between. My readynas can't contact the server right now. I am a forum member. Why they didn't send out a email notice that way is beyond me.
    • Amen.
  • Obvious. This isn't news.
  • by mrchaotica (681592) * on Wednesday October 23, 2013 @09:59AM (#45212437)

    If things like the ReadyNAS Duo or NV+ are vulnerable that's an even bigger problem, because they're even less likely to be patched than the models used by businesses.

    • by greg1104 (461138)

      The vulnerable ones are the ReadyNAS x86 based [readynas.com] models that currently are running firmware with version numbers like 4.2.X. Things like the ReadyNAS Duo are either ARM based [readynas.com] with versions 5.3.X, or SPARC based [readynas.com] with versions like 4.1.X. The buggy feature here looks like it's only on the more expensive models.

    • NETGEAR updated both the SPARC and x86 based ReadyNAS firmware lines to address the vulnerability. (i.e. 4.1.12 and 4.2.24) The models listed with the firmware updates are as follows: ReadyNAS NV+ v1, ReadyNAS Duo v1, ReadyNAS 1100, ReadyNAS 1500, ReadyNAS 2100, ReadyNAS 3100, ReadyNAS 3200, ReadyNAS 4200, ReadyNAS Ultra 2/Plus, ReadyNAS Ultra 4/Plus, ReadyNAS Ultra 6/Plus, ReadyNAS Pro 2, ReadyNAS Pro 4, ReadyNAS Pro 6, ReadyNAS Pro Business Edition, ReadyNAS Pro Pioneer Edition, ReadyNAS NVX, ReadyNAS N
  • Where at the point where all outside facing devices need a mechanism for automatic updates, or at least automatic notification of updates.

    I imagine that most of the ReadyNSA users have no idea they are vulnerable.

  • I'm a ReadyNAS owner. I have ignored recent firmware updates from Netgear simply because they have become incompetent at releasing firmware that actually functions. I keep my ReadyNAS far away from the Internet, and so my level of risk is low; as well, I have stopped upgrading: Netgear's release quality is simply too poor to allow me to risk the upgrade.

"In the face of entropy and nothingness, you kind of have to pretend it's not there if you want to keep writing good code." -- Karl Lehenbauer

Working...