ID

VAR-200708-0254

CVE

CVE-2007-4361

TITLE

NETGEAR ReadyNAS RAIDiator default root user password vulnerability

DESCRIPTION

NETGEAR (formerly Infrant) ReadyNAS RAIDiator before 4.00b2-p2-T1 beta creates a default SSH root password derived from the hardware serial number, which makes it easier for remote attackers to guess the password and obtain login access. ReadyNAS is a direct-attached storage device based on Linux and debian-sparc platforms.  ReadyNAS has two users enabled by default, one is admin (the default password is infrant1) and the other is root. Each time it starts, it uses a hard-coded algorithm to generate the root password, which uses the Ethernet MAC address and software version number. And a hash of the shared secret. The root password cannot be changed permanently, so it is reset every time it is started.  The ReadyNAS device boots from the built-in flash memory, and the Linux kernel and the initrd image are in this flash memory. At startup, the initrd image will look for the installed hard disk and initialize it. If an uninitialized hard disk is found, it will be added to the RAID array. A part of the hard disk will be used as the root file system. A tarball stored in the flash will initialize it.  After loading the rootfs, some consistency checks are performed, and some important configuration files are encrypted and backed up. These files cannot be changed without decryption.  At startup, the / linuxrc file in the initrd image is first executed as follows:  --------------  SEED1 = `/ sysroot / sbin / ifconfig eth0 | grep HWaddr | sed -e 's /.* HWaddr //'  --e 's / // g'`  SEED2 = `cut -f2 -d = / sysroot / etc / raidiator_version | cut -f1 -d,`  [* EDIT *: removed SEED3 as friendly requested by vendor]  echo "root:` echo \ "$ SEED1 $ SEED2 $ SEED3 \" | md5sum | cut -f1 -d '' `" |  chpasswd  # TAKE ME OUT !!  [-s /sysroot/.os_passwd] && echo "root:` / sysroot / usr / bin / head -1  / sysroot / .os_passwd` "| chpasswd  #################  / sysroot / bin / mv / etc / passwd / sysroot / etc / passwd 2> $ ERR  rm -rf / sysroot / etc / hosts_equiv /sysroot/root/.rhosts  /sysroot/root/.ssh/* 2> $ ERR  --------------  The password is initialized by md5 and the following components:  a.) MAC address obtained from ifconfig  b.) Software version number read from / etc / raidiator_version  c.) Shared keychain in SEED3  Even though the root password varies from device to device (the MAC address is also part of the hash), it is still not secret. First, if the NAS device is in the local LAN, you can query the MAC address through ARP request. Second, the default host name is nas-xx-yy-zz (which can be displayed on the https-based interface), and xx, yy, zz It is the last 3 octal digits of the MAC address; finally, the version of the software can be determined by brute force guessing. Successfully exploiting this issue allows remote attackers to gain superuser-level access to affected devices. This issue affects devices with firmware versions 3.01c1-p1 and 3.01c1-p6 installed; other versions may also be affected. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: Infrant ReadyNAS Devices SSH Default Root Password Weakness SECUNIA ADVISORY ID: SA26442 VERIFY ADVISORY: http://secunia.com/advisories/26442/ CRITICAL: Not critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Infrant ReadyNAS Devices 3.x http://secunia.com/product/15287/ DESCRIPTION: Brian Chapados and Felix Domke have reported a weakness in Infrant ReadyNAS devices, which can be exploited by malicious people to bypass certain security restrictions. The problem is that the device includes an SSH daemon that cannot be disabled and that the password for the SSH root account on the device is generated using certain device-specific values (e.g. MAC address, serial number, version number) and cannot be changed permanently. The weakness is reported in ReadyNAS devices with RAIDiator 3.01c1-p1, 3.01c1-p6. SOLUTION: The vendor has provided the ToggleSSH add-on to disable/enable SSH on the device and has released RAIDiator 4.00b2-p2-T1 beta version, which has SSH disabled by default. http://www.infrant.com/download/addons/ToggleSSH_1.0.bin http://www.infrant.com/beta/raidiator/4.0/RAIDiator-4.00b2-p2-T1 PROVIDED AND/OR DISCOVERED BY: Brian Chapados and Felix Domke ORIGINAL ADVISORY: Infrant Technologies: http://www.infrant.com/forum/viewtopic.php?t=12313 http://www.infrant.com/forum/viewtopic.php?t=12249 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

Design Error

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Brian Chapados brian@chapados.org Felix Domke tmbinc@elitedvb.net

SOURCES

LAST UPDATE DATE

2025-04-10T23:19:59.783000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE