There are critical vulnerabilities in the firmware of Netgear ReadyNAS storage devices.
While Netgear already released patches for most of the flaws, most users still haven’t updated their firmware, said researchers at Tripwire.
The vulnerabilities affect ReadyNAS RAIDiator firmware versions 4.2.x prior to 4.2.24 and 4.1.x prior to 4.1.12. However, when Netgear released updates, it hadn’t provided any details to make users understand why it is important to patch their installations.
Over 10,000 devices are running the vulnerable version of the firmware, said Tripwire’s Craig Young, who added 73 percent of the appliances connected to the Internet have not undergone patching.
So how can cybercriminals exploit the vulnerabilities and what can they accomplish? Young said in a blog post the most serious security hole plagues the Frontview HTTPS web management interface.
The flaw exists because user input does not undergo proper sanitation so an attacker can inject his own commands. There is no authentication required for this exploit.
“Frontview is the primary user interface for ReadyNAS and as such it cannot be disabled or blocked through any configuration options, so there were no obvious mitigation strategies,” Young said in the post.
Cybercriminals can exploit the vulnerability by tricking victims into opening a specially crafted web page or email message. If the attack is successful, the hacker can gain full access to the system.
Additional technical details on the vulnerabilities are available in an advisory published on Tripwire’s website.