NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
HUGE security leak in ReadyNAS
I've been using a ReadyNAS 6 Pro for years now and I have always been quite happy with it, but today to my horror I discovered a HUGE security leak in this product. My configuration has the FTP s...
So any and every newly connected USB mass storage device, is automatically shared over all services, including services without authentication such as http and ftp, that potentially accessible for the whole internet?! That's an INCREADIBLY DUMB feature! It goes right next to the pinless handgranade.
So before attaching any USB mass storage device, publicly accessible services such as ftp and http must be blocked in the router, then the device can be attached. After that the default and unwanted open share must be disabled and finally the publicly accessible services must be enabled again. Is that how ReadyNAS developers pictured it? Instead of simply needing the enable what you actually want? That's INSANE!
Do you guys realize this is a professional NAS, used by small businesses all over the world?
Might I suggest an alternative to your problem? Use Backup in Frontview to send your data from the ReadyNAS to a computer that you have the USB shared out with. You can map that backup job directly to the backup button to kick off when you so choose, all the while, allowing for you to have uninterrupted service funcitonality by not mounting any USBs automatically to your ReadyNAS.
My problem, dear NETGEAR Employee, is not the lack of a safe way to backup my ReadyNASes. My problem is that my ReadyNAS Pro has been spilling all of my data to the world wide web due to a security leak. A secundary problem is NetGear classifying this leak as a feature.
NetGear sells this device as a professional product, for small businesses. It's not unthinkable that small businesses make the FTP service on this device available to the outside world, because FTP isn't of much use on an internal network. I hoped it was a bug, but apearantly for NetGear the inconvenience of having to tick a box somewhere to share newly attached devices took prevalence over the very real possibility of accidentially sharing the full contents of this device with the rest of the world. This is plain stupid!
I have filed a full report with the authorities. I'm sure they will get into contact with you.
BTW: Log rotation in ReadyNAS is broken too, leaving only two weeks of forensic evidence. You probably haven't tested that. Fix it.
I think the issue was already stated clearly. Kohdee simply offered a method to prevent further leakage for your consideration. There's no way he can go back in time and undo any leakage that might have occured.
Turning up the emotional heat in your posts might be cathartic for you, but won't change anything. 4.2.28 firmware has been already announced as the final release. The level of Netgear management you need to reach to try and reverse that generally doesn't participate here.
As a non-netgear mod, I'm locking the thread. The point has been made, and escalating the rhetoric further will push the conversation out of bounds.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
