[German]Do you run LG Network Storage Units (NAS) in a corporate or private environment? Then it's time to act, because security researchers have found a (previously unpatched) critical remote code execution gap.
Advertising
The Hacker News recommends taking the affected LG Electronics devices offline to protect sensitive data.
What the matter?
LG's Network Attached Storage (NAS) device is a file storage device connected to a network that allows users to store and share data with multiple computers. Authorized users can also access their data via the Internet.
Now a security researcher has uncovered full technical details of an unpatched critical vulnerability when executing remote commands in various LG NAS device models. These can allow attackers to compromise devices and steal data stored on them.
The vulnerability
The vulnerability was discovered and published by a security researcher commissioned by VPN Mentor's data protection officer. VPN Mentor recently reported bugs in VPN products (see my German blog post Drei populäre VPN-Dienste leaken die IP-Adresse).
The issue found in LG NAS devices are based on a remote command injection vulnerability because there is no authentication. The password query when logging in via remote connections can be abused for this purpose. An attacker could use the password field on the login page to send system commands.
Advertising
(Source: The Hacker News)
In the following video, security researchers demonstrate how attackers can exploit this vulnerability to first write a simple, persistent shell to the vulnerable storage devices connected to the Internet.
(Source: YouTube)
This shell then allows attackers to easily execute additional commands, one of which also allows downloading the complete database of NAS devices, including user emails, user names and passwords hashed with MD5.
