Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

raidsonic-disclose.txt

🗓️ 17 Mar 2008 00:00:00Reported by Collin MullinerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

Manufacture RaidSonic NAS-4220-B firmware 2.6.0-n(2007-10-11) stores hard disk encryption key in plain on unencrypted partition, compromising security

Code
`  
Manufacturer: RaidSonic (www.raidsonic.de)  
Device: NAS-4220-B  
Firmware: 2.6.0-n(2007-10-11)  
Device Type: end user grade NAS box  
OS: Linux 2.6.15  
Architecture: ARM   
Designed by: Storm Semiconductor Inc (www.storlinksemi.com)  
  
  
Problem:   
Hard disk encryption key stored in plain on unencrypted partition.  
  
  
Time line:  
Found: 09. March 2008  
Reported: 09. March 2008  
Disclosed: 16. March 2008   
  
  
Summary:  
The NAS-4220-B offers disk encryption through it's web interface. The   
key used for encrypting the disk(s) is stored on a unencrypted   
partition. Therefore one can extract the encryption key by removing   
the disk from the NAS and reading the value from the unencrypted   
partition. The key itself is stored in a file in plain (base64   
encoded). Therefore the NAS-4220 crypt disk support can not be   
considered secure.  
  
  
Details:  
The NAS-4220-B can hold two SATA disks. Disk are encrypted through a   
loop back device using AES128. The problem came to my attention when  
I could access the NAS after reboot without suppling the hard disk key.  
  
The key is stored in /system/.crypt, "/system" is a small   
configuration partition on the same disk that holds the encrypted   
partition. The system partition is created by the system software   
running on the NAS-4220. The configuration partition of the second   
hard disk is not mounted by default but also contains the .crypt file   
holding the key for the encrypted partition on the same disk.  
  
  
Accessing the key (key value is the example I used):  
$ cat /system/.crypt  
MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=  
  
key in plain key in base64  
12345678901234567890 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=  
  
  
Base64 decode:  
#!/usr/bin/python  
from base64 import *  
print b64decode("MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=")  
  
  
Reported by:  
Collin Mulliner <collin(AT)betaversion.net >  
  
  
  
  
Collin's Advisories: http://www.mulliner.org/security/advisories/  
  
--  
Collin R. Mulliner <[email protected]>  
BETAVERSiON Systems [www.betaversion.net]  
info/pgp: finger [email protected]  
If you have to run heating in winter, you don't own enough computers.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Mar 2008 00:00Current
7.4High risk
Vulners AI Score7.4
raidsonic nas-4220-bfirmware 2.6.0-nhard disk encryptionunencrypted partitionsecurity compromisecollin mulliner advisories
25