Firmware zero-day leaves 2m storage devices open to RCE

NAS security flaws impact devices from Netgear, Seagate, Medion, and Western Digital

Critical firmware flaws impacting four major network-attached storage (NAS) drive manufacturers remain unpatched, leaving nearly two million devices vulnerable to remote data-theft attacks, researchers have warned.

The first bug (CVE-2018-18471) was discovered in Hipserv, a NAS OS from Axentra that provides cloud-based login and file storage management functionalities to products from multiple vendors, including Netgear Stora, Seagate GoFlex Home, and Medion LifeCloud.

After playing around with the Axentra REST API endpoint and web management interface, researchers Paulos Yibelo and Daniel Eshetu found that it was possible to read files and make SSRF requests on all three NAS drives.

Additionally, a flaw in way the web interface performed root actions could allow hackers to add or remove users or execute commands with highest privileges – all with no action required from the victim.

The researchers’ findings first appeared on VPN review site WizCase last week. According to Yibelo, the researchers received no response from Axentra or the NAS drive vendors, and all of the devices remain unpatched.

“We focused on discovering only critical vulnerabilities that can be exploited remotely without any user interaction,” the researchers said. “We wanted to execute commands on the devices remotely with the highest privileges. We were successful, in all the devices.”

The Daily Swig has reached out to Netgear, Seagate, and Medion for comment on the Hipserv OS flaw.

The Axentra customer support page simply provides links back to the vendors.

Continuing their audit of NAS devices, the researchers discovered a separate vulnerability, CVE-2018-18472, affecting Western Digital’s MyBook Live NAS drive.

“Some models of WD MyCloud NAS contain a remotely exploitable vulnerability that lets anyone run commands on the device as root,” the researchers said.

Issuing a response last week, Western Digital said the MyBook Live devices were discontinued in 2014 and are no longer covered under the company’s device software support lifecycle.

“We encourage users who wish to continue operating these legacy products to configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device,” the company said.

Offering advice to any NAS drive owners impacted by these vulnerabilities, Yibelo told The Daily Swig: “Unfortunately there currently really isn’t much users can do to avoid hacks except putting the devices off the internet and maybe configuring firewalls to stop outbound connections from reaching their NAS IPs.”

The global NAS device market is forecast to be worth around $45 billion by 2023.

This is not the first time the security of NAS drives has come under scrutiny. Earlier this year, Cisco Talos said connected storage devices from Mikrotik and QNAP were under threat from the VPN Filter malware framework.