NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

redstamp's avatar
redstamp
Apprentice
Jun 04, 2016

/dbbroker exploit

3 weeks ago I purchased a Netgear ReadyNAS and moved all my files onto it.  This week I tried to turn on "ReadyNAS Replicate" under the Cloud tab in the LAN http interface.  There were some user credentials auto-populated in the pop-up box that followed, and the user was "/dbbroker" with the usualy ******** for the pasword.

 

As I didn't recognise this username (and I only have the original 'admin' user and a single ReadyCloud user (which is nothing like 'dbbroker').  I searched the internet and came across a number of pages about a ReadyNAS User Credentials Disclosure exploit called /dbbroker - see this link (or just search Google for "dbbroker readynas" and goto the second link: https://www.exploit-db.com/exploits/37720/

 

I cant find any more details on the exploit and wondered if I should be worried?  I was using Chrome, so presuming the details have been auto-populated from Chrome, I cleared the Chrome cache / history.

 

Tips from other users

9 Replies

  • JennC's avatar
    JennC
    NETGEAR Employee Retired
    Jun 04, 2016

    Hello redstamp,

     

    Is this a brand new sealed ReadyNAS unit? Or a pre-owned one?

     

    Welcoem to the community!

     

    Regards,

    • redstamp's avatar
      redstamp
      Apprentice
      Jun 05, 2016

      JennC,

      Thanks for the welcome.

      This was a new unit purchased from Scan Computers.  One of the drive bays had a faulty spring out of the box, so I was initially concerned it was a pre-used NAS, but the box was sealed with the Netgear tape still, so I convinced myself it was a brand new unit and the spring just came lose during transit.  I fixed the spring within 5 mins, so no need to return etc.

       

      The firmware wanted updating when I initially plugged it in (1st April 2016), although I forget from and to which versions.  And again I updated to the new 6.5.0 on about 20th May 2016.

       

      Thanks,

      Jon

  • Skywalker's avatar
    Skywalker
    NETGEAR Expert
    Jun 06, 2016
    redstamp wrote:

     

    I cant find any more details on the exploit and wondered if I should be worried?  I was using Chrome, so presuming the details have been auto-populated from Chrome, I cleared the Chrome cache / history.

     

     

    That "exploit" isn't directly related to dbbroker.  It's just a generic method of trying to sniff HTTP Basic Auth headers.  That can be accomplished by an attacker on your local network if the traffic passes through a hub that the attacker is connected to, or if an attacker is able to launch a successful man-in-the-middle attack, or if the attacker has access to the system from which you log in to the admin interface.  To prevent these attacks, just use HTTPS.  You can also completely disable HTTP access to the admin UI by going to System -> Settings, then click on the HTTP button, and uncheck "Enable HTTP Admin".

    • StephenB's avatar
      StephenB
      Guru
      Jun 07, 2016
      Skywalker wrote:  You can also completely disable HTTP access to the admin UI by going to System -> Settings, then click on the HTTP button, and uncheck "Enable HTTP Admin".

      Disabling http admin access is a good idea (I actually think it should be disabled by default).

  • Retired_Member's avatar
    Retired_Member
    Jun 08, 2016
    The problem with disabling HTTP admin by default is the panic created by the browser WARNING THIS IS UNSECURE CONNECTION, BEWARE, YOU MAY BE GOING TO GET DESTROYED overdone messages warning that the HTTPS certificate isn't signed properly (doesn't match fqdn, etc.).
    • StephenB's avatar
      StephenB
      Guru
      Jun 08, 2016
      jak0lantash wrote:
      The problem with disabling HTTP admin by default is the panic created by the browser WARNING THIS IS UNSECURE CONNECTION, BEWARE, YOU MAY BE GOING TO GET DESTROYED overdone messages warning that the HTTPS certificate isn't signed properly (doesn't match fqdn, etc.).

      I understand the user heart attack resulting from the panic, and that is likely why Netgear leaves it enabled.

       

      But the truth is https (with the warning) is more secure than http (without the warning).  So if you forward http through your router then you should certainly disable http admin.  Businesses probably should disable it too.  

       

      It doesn't matter very much if you are a home user who doesn't enable remote web access to the NAS.

      • Retired_Member's avatar
        Retired_Member
        Jun 08, 2016
        StephenB wrote:
        But the truth is https (with the warning) is more secure than http (without the warning)

        That's for sure! ^^

        StephenB wrote:
        But the truth is https (with the warning) is more secure than http (without the warning).  So if you forward http through your router then you should certainly disable http admin.  Businesses probably should disable it too.  

         

        It doesn't matter very much if you are a home user who doesn't enable remote web access to the NAS.

        I actually think the default setting is different on desktop units (HTTP) and on rackmount units (HTTPS) - OS6 of course.

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More