J-Security Center

Title: NETGEAR ReadyNAS RAIDiator Remote SSH Backdoor Vulnerability

Severity: CRITICAL

Description:

NETGEAR ReadyNAS is a storage device for networks. It was previously sold by Infrant. RAIDiator is the name of the operating system for ReadyNAS devices.

NETGEAR ReadyNAS RAIDiator is prone to a remote SSH-backdoor vulnerability because remote attackers can readily guess the superuser password.

SSH access is enabled by default on these devices. A known and documented 'admin' account is normally used for remote administration. Undocumented access to the 'root' account is also available.

The superuser account password is changed to an algorithmically chosen password every time the device is booted. The password is the result of concatenating the MAC address of the network interface, the firmware version string, and a shared secret, and then taking the MD5 of the resulting string. The MAC address can be deduced remotely, the firmware version can be brute-forced, and the shared secret can be obtained by gaining access to the '/linuxrc' script on any affected device.

Successfully exploiting this issue allows remote attackers to gain superuser-level access to affected devices.

This issue affects devices with firmware versions 3.01c1-p1 and 3.01c1-p6 installed; other versions may also be affected.

Affected Products:

  • NetGear ReadyNAS RAIDiator
  • NetGear ReadyNAS RAIDiator 3.01c1-p1
  • NetGear ReadyNAS RAIDiator 3.01c1-p6

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.