NETGEAR ReadyNAS Storage Vulnerable to Serious Command-Injection Flaw

NETGEAR ReadyNAS’ Frontview front end is vulnerable to a serious command injection flaw that puts all data moving through a network at risk.

A popular NETGEAR network-attached storage product used primarily in medium-sized organizations has a gaping vulnerability that puts any data moving through a network in jeopardy.

The flaw in ReadyNAS, specifically its Frontview front end, was patched via a firmware update three months ago. But according to Tripwire researcher Craig Young who discovered the issue and reported it to NETGEAR, only a fraction of Internet-facing boxes have been patched. An attacker exploiting the vulnerability could gain root access to the box.

Young said very little information has been released about the severity of the bug, from NETGEAR in particular. The advisory on the NETGEAR website makes little reference to security except in fine print at the end of the notice with a bullet-point about a Frontview update that addresses security issues. Young said he doesn’t believe customers are incentivized enough to apply the 4.2.24 update when a previous update, 4.2.23, included new features and bug fixes.

“There’s a lot of room for people to get burned on this,” Young told Threatpost. “I felt it is important to get the message out to people that if you’re running the RAIDiator firmware (prior to the current version) it’s easy to attack the system. As we’ve found with Microsoft patches, people reverse-engineer patches to find vulnerabilities. This is the type of thing that anyone could trivially compare this firmware to the previous and see in an instant where the vulnerability is.”

Young added that should a Metasploit exploit module be developed for the bug, that would also accelerate the possibility of in-the-wild attacks; Young said he has not seen any to date despite the fact that a search on the Shodan search engine shows upwards of 10,000 boxes running the vulnerable front end. Many thousands more show up in the search engine running other services that could allow access such as FTP. Complicating matters, Young said, is that attacks against this ReadyNAS bug are not easily detectable by intrusion prevention systems, for example.

“We’re not opening a portal on ReadyNAS that would show up in a scan,” Young said. “An attacker could make it look like an HTTP connection. You’d really have to be in tune with the system to see that it should not be making this outbound connection. Somebody can still do damage as long as the Web interface is exposed.”

Frontview is the ReadyNAS web management interface; the vulnerability allows command injection and fails to validate or sanitize user input and can be triggered without authentication, Young said.

“The consequence is that an unauthenticated HTTP request can inject arbitrary Perl code to run on the server,” Young wrote on the Tripwire blog. “Naturally, this includes the ability to execute commands on the ReadyNAS embedded Linux in the context of the Apache web server.”

Once an attacker, using a specially crafted HTTP GET request, has local access to the network, they could use the RAIDar discovery protocol to find other vulnerable ReadyNAS installations and gain root access to those boxes as well.

“It gives you command execution in the context of the web server.  The web server runs as admin rather than root but it’s actually enough to also execute commands as the root user,” Young said. His proof-of-concept exploit opens a reverse root shell giving an attacker the ability to access data, modify passwords, add users and more

“Using this vulnerability, you could send a special GET request, get a root shell, install attack tools, scan further and exfiltrate data,” Young said. “I would say it’s trivial to get code execution as the admin user and only slightly more difficult to gain root access.”

If the ReadyNAS web interface is not facing the Internet, an attacker could also exploit this hole by luring users to a malicious website or sending an email with a malicious image tag in it, for example, containing the specially crafted URL that would trigger the vulnerability.  Using a reverse TCP shell, Young wrote, enables a system that’s been breached to be controlled from outside the network.

Young said he has been in communication with NETGEAR about the severity of the vulnerability, in particular with engineers there working on addressing the flawed code.

“This is a serious oversight,” Young said. “If you are running ReadyNAS and you have not already updated, it is imperative that you do so ASAP, especially if your ReadyNAS web interface is one of the thousands that are directly accessible from the public Internet.”

Updated at 7 a.m. with clarifications from Craig Young

Suggested articles