Educated Guesswork: Infrant SSH backdoor

« Fail-what? | Main | Airline blacklist version whatever »

August 8, 2007

Infrant SSH backdoor

Infrant (makers of ReadyNAS, now owned by Netgear) just released a security advisory for remote root SSH access to their box:

NETGEAR has released an add-on to toggle SSH support for the ReadyNAS systems based on a potential exploit to obtain root user access to the ReadyNAS RAIDiator OS. Each ReadyNAS system incorporates a different root password that can be used by NETGEAR Support to understand and/or fix a ReadyNAS system remotely using the ReadyNAS serial number as a key. An attacker that has obtained the algorithm (and your serial number) to generate the root password would be able to remotely access the ReadyNAS and view, change, or delete data on the ReadyNAS.
ReadyNAS installation most vulnerable to this attack is in an unsecure LAN and where the ReadyNAS SSH port (22) is accessible by untrusting clients. Typical home environments are safe if a firewall is utilized and port 22 is not forwarded to the ReadyNAS from the router. We do advise that all ReadyNAS users perform this add-on installation regardless.
Installation of the ToggleSSH add-on will disable remote SSH access and thus close the vulnerability. At the same time, if you need remote access assistance from NETGEAR Support, you can install the ToggleSSH add-on again to re-enable SSH access during the time when the remote access is needed.

In other words, NETGEAR support can remotely log into any ReadyNAS box as root and manage it. A few notes:

I'm having trouble imagining any conditions under which I'd want NETGEAR support to have remote access to my fileserver (and no, I don't own one of these). I wonder if there's some way to change the root password or if you're stuck with this backdoor. Is this really something that they need a lot or was it just a cunning plan that didn't get filtered out at some higher level.
They don't disclose the algorithm they use to produce the password. Some such algorithms are good and some are bad. It would be interesting to know which type this is.
There are three major ways to build a system like this on the verifying side:
1. Have the box simply know its own password.
2. Have the password-generation algorithm built into the box.
3. Use public key cryptography. E.g., the password is a digital signature over the serial number.
If I had to bet, it would be on (1) or (2). (2) is obviously pretty bad since it means that anyone who has a single box can reverse engineer the algorithm and generate as many passwords as they want. Anyone take one of these apart and know?
What kind of auditing is available to find out if your box has already been taken over by some attacker who knows the key—or just someone from NETGEAR tech suport.

Oh, and what were they thinking having this on by default? Outstanding!

Posted by ekr at August 8, 2007 9:45 PM | Filed under: Networking, SYSSEC

Comments

This is extremely annoying to Infrant owners.

One of the selling points of the Infrant is the fact that you can ssh in to it to manage the box and scp files up and down from it in addition to using SMB, NFS, DAV, and other methods for moving files back and forth.

Having to turn it off because the assholes left a back door is an enormous pain in the tush. Not that it would have been rational to leave the thing on the open internet in the first place (I have no such equipment on open networks.)

Posted by: Perry E. Metzger at August 9, 2007 4:27 AM

> Oh, and what were they thinking having this on by default? Outstanding!

They were thinking "how in the world do we support this thing when home users who think they can 'click on the Internet' say it just doesn't work?"

There are a lot of trade-offs at play here. If it defaults off, then the people who need it the most ("I clicked on my fileserver and nothing happened") don't have the benefit.

I'm not defending all of Netgear's actions. (I have pending security advisories to them they seem to be ignoring, for one. Anyone got a security contact there?) At the very least they should have disclosed this account to their customers. And then made it easy to deactivate.

Posted by: Dan Weber at August 9, 2007 6:47 AM

Isn't remote management access for vendors pretty standard in the NAS world? It's a bit strange that consumer/lowest-end devices are supposed to offer a similar level of service. But the programmers probably got the general idea (and that the whole thing is acceptable) from the real boxes.

Posted by: Florian Weimer at August 9, 2007 12:18 PM

Florian - I was thinking the same thing. In the high-end NAS world, you've paid for support and part of that is remote assistance (heck, these days when a disk fails we get the shipping notice from NetApp almost as fast as we get the failure notifications). Sure, it requires you to trust the vendor but . . . if you're running their code you already do.

Posted by: Chris Adams at August 9, 2007 4:30 PM

Note that in addition to the new ToggleSSH addon, the firmware v4 beta (which is now available) also enables support for another addon that allows you to keep ssh up and running and change the root password to one of your own chosing. So you can have your cake and eat it too.

-brendan

Posted by: brendan at August 10, 2007 7:57 AM