NETGEAR ReadyNAS

NETGEAR ReadyNAS Security Advisory
Vulnerability of root SSH access

August 6, 2007

NETGEAR has released an add-on to toggle SSH support for the ReadyNAS systems based on a potential exploit to obtain root user access to the ReadyNAS RAIDiator 3 OS. Each ReadyNAS system incorporates a different root password that can be used by NETGEAR Support to understand and/or fix a ReadyNAS system remotely using the ReadyNAS serial number as a key. An attacker that has obtained the algorithm (and your serial number) to generate the root password would be able to remotely access the ReadyNAS and view, change, or delete data on the ReadyNAS.

ReadyNAS installation most vulnerable to this attack is in an unsecure LAN and where the ReadyNAS SSH port (22) is accessible by untrusting clients. Typical home environments are safe if a firewall is utilized and port 22 is not forwarded to the ReadyNAS from the router. We do advise that all ReadyNAS users perform this add-on installation regardless.

Installation of the ToggleSSH add-on will disable remote SSH access and thus close the vulnerability. At the same time, if you need remote access assistance from NETGEAR Support, you can install the ToggleSSH add-on again to re-enable SSH access during the time when the remote access is needed.

To install, download and save the ToggleSSH add-on to your computer. Then invoke the ReadyNAS FrontView and go to the System/Update/Local tab. Specify the add-on as the update image, accept the confirmation, and reboot the ReadyNAS. After reboot, you will get a “Successfully disabled SSH service” message in FrontView. The whole process will take about 5 minutes.

Note: RAIDiator 4 has SSH disabled by default.