NETGEAR ReadyNAS RAIDiator Remote SSH Backdoor Vulnerability

Bugtraq ID:	25290
Class:	Design Error
CVE:	CVE-2007-4361
Remote:	Yes
Local:	No
Published:	Aug 13 2007 12:00AM
Updated:	May 07 2015 05:36PM
Credit:	Brian Chapados and Felix Domke are credited with the discovery of this issue.
Vulnerable:	NetGear ReadyNAS RAIDiator 3.01c1-p6 NetGear ReadyNAS RAIDiator 3.01c1-p1 NetGear ReadyNAS RAIDiator 0
Not Vulnerable:

NETGEAR ReadyNAS RAIDiator Remote SSH Backdoor Vulnerability

NETGEAR ReadyNAS RAIDiator is prone to a remote SSH-backdoor vulnerability because remote attackers can readily guess the superuser password.

Successfully exploiting this issue allows remote attackers to gain superuser-level access to affected devices.

This issue affects devices with firmware versions 3.01c1-p1 and 3.01c1-p6 installed; other versions may also be affected.

NETGEAR ReadyNAS RAIDiator Remote SSH Backdoor Vulnerability

Attackers use a standard SSH client to exploit this issue.

NETGEAR ReadyNAS RAIDiator Remote SSH Backdoor Vulnerability

Solution:
The vendor has released an advisory and a software package that will allow users to disable SSH access. Please see the references for more information.


NetGear ReadyNAS RAIDiator 0

• NetGear ToggleSSH_1.0.bin
  http://www.infrant.com/download/addons/ToggleSSH_1.0.bin

NetGear ReadyNAS RAIDiator 3.01c1-p1

• NetGear ToggleSSH_1.0.bin
  http://www.infrant.com/download/addons/ToggleSSH_1.0.bin

NetGear ReadyNAS RAIDiator 3.01c1-p6

• NetGear ToggleSSH_1.0.bin
  http://www.infrant.com/download/addons/ToggleSSH_1.0.bin

NETGEAR ReadyNAS RAIDiator Remote SSH Backdoor Vulnerability

References:

• ReadyNAS Product Page (NETGEAR)
  
• Default Root Password in Infrant (now Netgear) ReadyNAS "RAIDiator" (Felix Domke )
  
• NETGEAR ReadyNAS Security Advisory: Vulnerability of root SSH access (NETGEAR)