SoonerLater
Explorer
- Joined
- Mar 7, 2013
- Messages
- 80
-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Article: NAS boxes more vulnerable than routers, researcher finds (PC World)
- Thread starter SoonerLater
- Start date
- Status
- Joined
- Mar 5, 2013
- Messages
- 1,824
You bungled your link (just try to click it, it leads nowhere).
Here's the correct link.
Anyway, that's not very surprising to me considering that these are not enterprise-level devices (same level as a home router) and security is obviously not on the top of the list.
Of course, they're also never designed to be put on a public-facing network in the first place (though many uninformed users will inevitably do this), so that should take out majority of attack vectors.
Here's the correct link.
Anyway, that's not very surprising to me considering that these are not enterprise-level devices (same level as a home router) and security is obviously not on the top of the list.
Of course, they're also never designed to be put on a public-facing network in the first place (though many uninformed users will inevitably do this), so that should take out majority of attack vectors.
jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
I promise you that the enterprise-level devices are also frequently vulnerable, and because working storage systems are something that admins are loathe to dink around with, things like firmware updates for security issues are generally not applied right away. On the other hand they are usually locked away on dedicated storage networks with tightly controlled access.
- Joined
- Mar 5, 2013
- Messages
- 1,824
I never really said that they're not. I'm just saying that you could expect that from consumer-level devices.
jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
Regardless of what you "really said", it could easily be taken to imply otherwise.
Basically appliances have a whole world of pain associated with them. We're going to learn that more and more as we get more and more of them connected to the Internet...
Basically appliances have a whole world of pain associated with them. We're going to learn that more and more as we get more and more of them connected to the Internet...
9C1 Newbee
Patron
- Joined
- Oct 9, 2012
- Messages
- 485
No pain no gain?
SwampRabbit
Explorer
- Joined
- Apr 25, 2014
- Messages
- 61
Good "starter" article, but it is far from anything new, and its a pretty simple article. I wish it went more in-depth.
22 CVEs really isn't that bad in comparison, but also depends on the severity and exposure risk.
I have been following many of them and still waiting to see how high it may climb for some of the appliances.
As jgreco pointed out, a problem can be that they don't get patched for whatever reason, or sometimes can't be.
The whole section where the writer discusses the types of vulnerabilities found "command injection, cross-site request forgery, buffer overflows, authentication bypasses and failures, information disclosure, backdoor accounts, poor session management and directory traversal", isn't that scary depending on the exposure risk. Also these can be said about pretty much most software out there, at least one or two of the vulnerabilities comes standard as a selling point half the time it seems. :)
Heck even a lot of IPMI implementations have still several of them.
Despite the fact that many appliances, SOHO devices, printers, etc are usually built to serve one purpose, it is usually the inclusion of "added features" which create the vulnerabilities outlined in the article.
On the topic of SOHO routers, some big ones that caused a stir for some people I know was the ASUS AiCloud and half baked CIFS and FTP features of their wireless routers. They were very vulnerable and sort of still are, especially when users are finding them enabled by default. HP is notorious for some of the admin/root backdoors and web interfaces that are subject to injection in their appliances, even the data storage ones. Some Dell Printer models have backdoors and are subject to easy island hopping.
Security by design is still slowly being accepted as the norm, finding that "just works vs secure" middle ground is hard sometimes. Cost and time becomes an issue for some shops when implementing security into the software development lifecycle, other times it is ignorance and laziness.
I recently dealt with an application developer who refused to reduce vulnerabilities due to cost and time. The application was riddled with vulnerabilities, but also used PostgreSQL 8.3 (very vulnerable and end of life for support). They didn't want to update Postgre because they would have to overhaul their code, instead they just wanted to keep peddling their crapware hoping someone will buy it without knowing any better.
The more vulnerabilities found, the better in my opinion. Well as long as patches come quickly after.
22 CVEs really isn't that bad in comparison, but also depends on the severity and exposure risk.
I have been following many of them and still waiting to see how high it may climb for some of the appliances.
As jgreco pointed out, a problem can be that they don't get patched for whatever reason, or sometimes can't be.
The whole section where the writer discusses the types of vulnerabilities found "command injection, cross-site request forgery, buffer overflows, authentication bypasses and failures, information disclosure, backdoor accounts, poor session management and directory traversal", isn't that scary depending on the exposure risk. Also these can be said about pretty much most software out there, at least one or two of the vulnerabilities comes standard as a selling point half the time it seems. :)
Heck even a lot of IPMI implementations have still several of them.
Despite the fact that many appliances, SOHO devices, printers, etc are usually built to serve one purpose, it is usually the inclusion of "added features" which create the vulnerabilities outlined in the article.
On the topic of SOHO routers, some big ones that caused a stir for some people I know was the ASUS AiCloud and half baked CIFS and FTP features of their wireless routers. They were very vulnerable and sort of still are, especially when users are finding them enabled by default. HP is notorious for some of the admin/root backdoors and web interfaces that are subject to injection in their appliances, even the data storage ones. Some Dell Printer models have backdoors and are subject to easy island hopping.
Security by design is still slowly being accepted as the norm, finding that "just works vs secure" middle ground is hard sometimes. Cost and time becomes an issue for some shops when implementing security into the software development lifecycle, other times it is ignorance and laziness.
I recently dealt with an application developer who refused to reduce vulnerabilities due to cost and time. The application was riddled with vulnerabilities, but also used PostgreSQL 8.3 (very vulnerable and end of life for support). They didn't want to update Postgre because they would have to overhaul their code, instead they just wanted to keep peddling their crapware hoping someone will buy it without knowing any better.
The more vulnerabilities found, the better in my opinion. Well as long as patches come quickly after.
Last edited:
- Status
Similar threads
