HUGE security leak in ReadyNAS

Question

I've been using a ReadyNAS 6 Pro for years now and I have always been quite happy with it, but today to my horror I discovered a HUGE security leak in this product.

My configuration has the FTP server enabled, for one share, called 'public', which contains files I need other people to have access too. Nothing special. The share has write access too, because I also use it for people to drop stuff off for me, nothing special either. My internet connection isn't fast enough for other people to store large amounts of illegal content.

Last two weeks I've been making a backup of my server's full content. The quickest way to do this, is to attache a USB drive, so I don't have to pull all data over the network. An now it turns out that this backup drive, including the full content has been exposed to the whole world! Who knows what has been harvested by 'hackers', bots and criminals! I noticed this because when verifying my files, all kinds of spam files were popping up everywhere.

Netgear found it somehow a good idea to share attached USB drives per default with the rest of the world! Help me out here, Netgear, because your support team is hiding behind serial number protected web forms and a maze of links redirecting people to FAQs. I need logs from my NAS to estimate the damag.

kohdee · Answer

This is not a security leak.
By design, USB devices automatically mount&nbsp;to enabled file services for you to access. &nbsp;
To disable FTP on the USB, go to Shares &gt; Share Listing, click on FTP on your USB and set to disabled.

MindBender · Answer

So any and every newly connected USB mass storage device, is automatically shared over all services, including services without authentication such as http and ftp, that potentially accessible for the whole internet?! That's an INCREADIBLY DUMB feature! It goes right next to the pinless handgranade.

So before attaching any USB mass storage device, publicly accessible services such as ftp and http must be blocked in the router, then the device can be attached. After that the default and unwanted open share must be disabled and finally the publicly accessible services must be enabled again. Is that how ReadyNAS developers pictured it? Instead of simply needing the enable what you actually want? That's INSANE!

Do you guys realize this is a professional NAS, used by small businesses all over the world?

kohdee · Answer

Might I suggest an&nbsp;alternative to your problem?&nbsp;Use Backup in Frontview to send your data from the ReadyNAS to a computer that you have the USB shared out with. You can map that backup job directly to the backup button to kick off when you so choose, all the while, allowing for you to have uninterrupted service funcitonality by not mounting any USBs automatically to your ReadyNAS.&nbsp;
&nbsp;
&nbsp;

MindBender · Answer

My problem, dear NETGEAR Employee, is not the lack of a safe way to backup my ReadyNASes. My problem is that my ReadyNAS Pro has been spilling all of my data to the world wide web due to a security leak. A secundary problem is NetGear classifying this leak as a feature.&nbsp;NetGear sells this device as a professional product, for small businesses. It's not unthinkable that small businesses make the FTP service on this device available to the outside world, because FTP isn't of much use on an internal network. I hoped it was a bug, but apearantly for NetGear the inconvenience of having to tick a box somewhere to share newly attached devices took prevalence over the very real possibility of accidentially sharing the full contents of this device with the rest of the world. This is plain stupid!&nbsp;I have filed a full report with the authorities. I'm sure they will get into contact with you.&nbsp;BTW: Log rotation in ReadyNAS is broken too, leaving only two weeks of forensic evidence. You probably haven't tested that. Fix it.

StephenB · Answer

I think the issue was already stated clearly. &nbsp;Kohdee simply offered a method to prevent further leakage for your consideration. There's no way he can go back in time and undo any leakage that might have occured.
&nbsp;
Turning up the emotional heat in your posts might be cathartic for you, but won't change anything. &nbsp;4.2.28 firmware has been already announced as the final release. The level of Netgear management you need to reach to try and reverse that generally doesn't participate here. &nbsp;
&nbsp;
As a non-netgear mod, I'm locking the thread. &nbsp;The point has been made, and escalating the rhetoric further will push the conversation out of bounds.
&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;

Forum Discussion

HUGE security leak in ReadyNAS

5 Replies

Related Content

Wifi booster for Huges net Satellite

R9000 WiFi On/Off button OPENS WiFi to the Public, HUGE Security Flaw!

Weak Security

XR1000 & Blink Security Cameras

Cannot login armor security in android

NETGEAR Academy

ProSupport for Business