Monday, October 20, 2014

Your Network Storage needs an Exorcist!

Happy Halloween Readers!  And what says Trick-o-Treat better than a good o'l mission-critical vulnerability that can take down your entire operation without even making an effort.  Why, we may even go so far as to say, the breach can occur without needing authentication.

Basically, a vulnerability that makes Shellshock and Poodle, need we say it, CHILDSPLAY! In other words,opens Pandora's
box, i.e., a mission critical object that the whole family can lament when it's dead.  What is it? Well we can give you a hint.. An object that everyone depends on, is expensive than all get out, used at home and at work, and would stop all productivity if it was breached?  Give up?  How about your Network Storage Devices! 

Yes, ladies and gentlemen, some of your favorite manufacturers are vulnerable, e.g., Seagate, D-Link, Lenovo, Buffalo, QNAP, Western Digital, Netgear, ZyXEL, Asustor, TRENDnet, HP, Synology, to name a few… 



Why Do you Do Dis To Me Demi?


Announced in BlackHat Europe, ISE analyst, Jacob Holcomb walked through egregious deficiencies of Network Storage systems where of those evaluated, 100% were vulnerable to exploitation.  Network based storage systems are used in millions of homes, schools, government agencies, and businesses around the world for data storage and retrieval. With today's dependence on Internet based services, virtualization technologies, and the need to access data from anywhere, storage systems are relied on more than ever. Similar to other network hardware (e.g., routers), these devices are purchased and installed by IT teams and home consumers with the expectation that the system is protected from the infamous hacker.

His presentation focuses on "how to," and the implications of compromising network based storage systems, but will conclude that the absence of security in not only storage hardware, but networking hardware in general, has left data unprotected and millions of networks vulnerable to exploitation.

What they found in a nutshell:
  • A staggering 100% of devices are susceptible to root compromise.
  • At least 50% of devices can be exploited without authentication.
  • MITRE has assigned 22 CVE numbers.
  • Far WORSE than routers! (If this is possible)

Types of Vulnerabilities Discovered
  • Command Injection
   char *cmd_inject = “Command Injection is a form of attack where operating system specific commands are injected into a vulnerable application for execution.\n”;
  • Cross-Site Request Forgery
  • Buffer Overflow
    char *stuff_da_buff = “Buffer Overflows occur when a program attempts to write data that exceeds the capacity of a fixed length buffer, and consequently, overwrites adjacent memory.\n”;
  • Missing Function Level Access Control
 Authentication Bypass (char *MFLAC = “The absence of server-side authentication and authorization checks.\n”;
     Authorization Failure
  • Information Disclosure
  • Backdoor
  • Poor Session Management
       Deterministic Cookie Generation
  • Directory Traversal
       Arbitrary File Upload and Download

Types of Counter Measures that can be performed

Command Injection Countermeasures

  • Developers

      Avoid calling shell commands when possible
 If an API does not exist, sanitize user input before passing it to a function that executes system commands.

Missing Function Level Access Controls Countermeasures

  • Developers

       Perform server-side authentication and authorization checks.

Buffer Overflow Countermeasures

  • Developers

       Don’t use unsafe functions
       Perform bounds checking
 Compile/Link with overflow prevention techniques
  • Canary/Stack Cookie

       gcc –fstack-protector
  • ASLR

       gcc –fPIE || ld -pie
  •  DEP/NX

       gcc marks the stack non-executable by default

Remediation

Well boys and girls, we can't say whether your Network Storage facilities are waiting for you to turn a blind eye, but  we can say what would be the things you may want to consider to avoid such a calamity. Well for a starter, your Vendors, transparent patch management, embedded security in the software design, and perhaps indoctrinating Security Principles (e.g. Least Privilege, Defense in Depth).
HAPPY HALLOWEEN KIDS!

Source(s):
  • https://www.blackhat.com/docs/eu-14/materials/eu-14-Holcomb-Network-Attached-Shell-N-A-S-ty-Systems-That-Store-Network-Accessible-Shells.pdf

 So “Once more unto the breach, dear friends, once more;”
____________________________________________________________

About Rick Ricker

An IT professional with over 22 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.

For more information, contact Rick at (800) 399-6085 x502
at

No comments:

Post a Comment

Thanks for your input, your ideas, critiques, suggestions are always welcome...

- Wasabi Roll Staff