It’s been known for some time now–several months, in fact–that there is a critical, remotely exploitable vulnerability in some of Netgear’s ReadyNAS storage boxes, and a patch has been available since July. However, many of the boxes exposed to the Web are still vulnerable, and a recent scan by HD Moore of Rapid7 found that about 65 percent of the ReadyNAS devices reachable on port 80 are still unpatched.
Moore, the founder of the Metasploit Project and chief research officer at Rapid7, was interested in figuring out how many ReadyNAS boxes were exposed to the Web, and then how many of those were running the vulnerable firmware. To do that, he used his Project Sonar infrastructure to scan the IPv4 address space and identify ReadyNAS devices. That fingerprint was done by sending a GET request to port 80 and ReadyNAS devices sent back an identifiable header.
“I wrote a quick script to process this data via stdin, match ReadyNAS devices, and print out the IP address and Last-Modified date from the header of the response. I ran the raw scan output through this script and made some coffee. The result from our October 4th scan consisted of 3,488 lines of results. This is a little different than the numbers listed by SHODAN, but they can be explained by DHCP, multiple merged scans, and the fact that the ReadyNAS web interface is mostly commonly accessed over SSL on port 443,” Moore wrote in a blog post on the experiment.
“The interesting part about the Last-Modified header is that it seems to correlate with specific firmware versions. Version 4.2.24 was built on July 2nd, 2013 and we can assume that all versions prior to that are unpatched.”
Moore came up with 3,488 ReadyNAS boxes exposed on port 80, and of those, 2,257 of them were running vulnerable versions of the firmware. He said it’s not clear whether the results would be significantly different if the scan was done on port 443.
The vulnerability in ReadyNAS, which was discovered by Tripwire researcher Craig Young, enables an attacker to execute commands on a vulnerable device in the context of the Web server. Young has a proof-of-concept exploit that gives him a reverse shell.