[German]Bad news for owners of NAS systems (WD My Book, NetGear Stora, SeaGate Home, Medion LifeCloud NAS). Security researchers have found several critical vulnerabilities within this devices.
Some background information
NAS devices have become the preferred network storage medium for many small and medium-sized enterprises (SMBs), but also for private users. They are inexpensive, easy to use and expandable. But there is the question, are NAS drives secure enough to protect corporate data stored there? That was the question that has been asked by the wizcase.com team. So they hired security researchers Paulos Yibelo and Daniel Eshetu to examine some common NAS models for vulnerabilities.
They focused only on critical vulnerabilities that could be exploited remotely and without user interaction. In other words, authentication bypasses were not enough. It was required that remote commands be executed on the devices with the highest (root) privileges. The security researchers has tested the following devices:
- WD My Book,
- NetGear Stora,
- SeaGate Home,
- Medion LifeCloud NAS
The team from wizcase.com contacted me by mail this weekend and mentioned their findings, that they have been documented here.
Summary of vulnerabilities
Security researchers successfully executed remote commands on NAS drives with root privileges (without authentication). Only the IP address of the respective device was needed for the attacks. Here are some results of the investigations::
- All four NAS devices tested have a zero-day vulnerability when executing Remote Command Execution (Preauth RCE) with root privileges.
- The vulnerabilities allow hackers, governments, or individuals with malicious intent to read files, add/remove users, add/change existing data, or execute commands with the highest privileges on all devices.
The wizcase.com team is convinced that there are many other NAS devices that suffer from similar vulnerabilities. The reason: So far security for NAS devices is probably not in the focus of the manufacturers – and the OS used in the firmware of the devices is used by many manufacturers.
Both vulnerabilities found (CVE-2018-18472 and CVE-2018-18471) are unpatched at the time of this release. It is estimated that nearly 2 million affected devices are online, i.e. accessible via the Internet and thus vulnerable. Details on the vulnerabilities are described in this wizcase.com article.
CVE-2018-18472: XXE und Unauthenticated Remote Command Execution
This vulnerability is located within Axentra's Hipserv NAS OS, which runs as an operating system on multiple devices. The OS offers cloud-based login, file storage and management functions for different devices. It is used in devices from the following vendors, among others:
- Netgear Stora
- Seagate GoFlex Home
- Medion LifeCloud (and probably other devices)
Axentra provides a firmware with a web interface that mainly uses PHP as the server-side language. The web interface has a REST API endpoint and a typical web management interface with support for a file manager.
CVE-2018-18472: WD MyBook Live Remote Command Execution
WD MyBook Live and some models of WD MyCloud NAS contain a remotely exploitable vulnerability that allows anyone without authentication to execute commands on the device as root. The vulnerability is the ability to change language and modify functionality in the REST API. A proof of concept is shown in this wizcase.com article.
What does this mean for the affected NAS users?
The question is what practical consequences this will have for device owners. I would say: Don't save confidential documents on NAS devices. The people at wizcase.com suggest the following:
- If you are using one of the above devices and they are connected over WAN, make sure that the device is no longer accessible from the Internet. The NAS should only be accessible locally on the secure network.
- Please contact the affected providers and insist that they publish a patch as soon as possible! Because so far no update has been released.
The people at wizcase.com also suggest using a VPN to protect your computers and mobile devices from hackers. ExpressVPN and NordVPN are recommended as both use 256-bit AES encryption. But especially with NordVPN I don't know, if that's a good idea. I reported about a Privilege Escalation vulnerability within this product in September 2018 (see my German article ProtonVPN und NordVPN mit Privilege Escalation-Bug).
Cookies helps to fund this blog: Cookie settings