Home > Blog > Sitecom NAS MD-253 and MD-254 Risk Mitigation

Sitecom NAS MD-253 and MD-254 Risk Mitigation

Gepubliceerd door admin on augustus 27, 2012

So far we have published two security advisories for vulnerabilities we have discovered in NAS products manufactured by Mapower, including the popular Sitecom MD-253 and MD-254 models. The flaws we have discovered can be exploited through the web management UI and do not require a logged in session.

In our crusade to convince Sitecom and Mapower to completely overhaul their insecure web management component we plan to disclose a new vulnerability every week, starting the first Monday of September. We expect a long series of upcoming advisories as long as they do not fix the root problem and remain irresponsive.

Of course the last thing we want is you to become the victim of our pending disclosures (which may or may not be patched by your vendor at the time of disclosure). This is why we started to develop our own solution in order to protect you from ALL future related security flaws in the web management UI of the known vulnerable Mapower NAS products.

You might think “I am safe, because I always install the latest firmware plus, my NAS is behind a firewall”. Beside the fact that some owners have a legitimate reason for connecting their NAS to the Internet (we have seen examples of small businesses that use the device as a simple FTP-facility for exchanging large files with their customers), do you really trust all legitimate users on your local network? Any parents out there? Small business owners?

Of course installing the latest firmware is good practice and it will protect you from the attacks we describe in our previous security advisories. But there is a slight problem. There is a fundamental flaw in the design of the web management interface that has not been fixed today. Despite our numerous attempts to bring this to the vendor’s attention, their response so far has been inadequate.   

Nevertheless, our advisories may attract the attention from malicious hackers and inspire them to find additional vulnerabilities. Instead of notifying the vendors and allow them to fix the vulnerabilities, these bad guys may cause harm to the innocent.

How is this possible do you ask? And if you can do it why didn’t the vendor do this in the first place? Our solution is based on a very simple, ancient browser feature called “Basic Authentication”. It is that forgotten little browser dialog that pops up and asks for your user credentials. It is not as fancy as the forms based authentication used in modern web applications, yet Basic Authentication is a very effective mitigation technique for the vulnerabilities we have reported. It removes the entire attack surface for unauthenticated users. So, if you do not provide valid login credentials, it will not process any configuration changes, heck, it will not even show you the management pages at all! As a downside, for the management UI to function properly, you still need to log into the familiar login page as well. Now you know why the vendors do not offer this type of solution in the first place. It’s not very eye-pleasing and even a little confusing when asking login details twice. Of course, after your initial login your browser may offer you to remember your credentials. In this case this may not be a bad idea. Let’s face it: if an attacker gets hold of your browser’s stored secrets you have a bigger problem at hand, because modern web browsers are much better protected than your NAS!

At this time we only have a solution available for Sitecom devices. We plan to provide a solution for Conceptronic devices as well if there is any demand for it. So let us know in the comments if you are interested. Even better, if you own a Conceptronic Grab'n'Go and do not mind testdriving our solution, do not hesitate to contact us. We promise we will not try to break (into) your NAS!

Download and Installation

The Sitecom MD-25x allows for additional packages to install. What we did is create a package that enables Basic Authentication on the NAS embedded webserver. Installation is easy:

  1. Download the BasicAuth package from the link below:
  2. Copy it to your Packages folder on the public share of your NAS
  3. Login to your NAS and choose Package Management tab in the Toolbox MenuSitecom_BasicAuth_install_01.png
  4. Click on the SitecomNas_pkg_BasicAuth_1.0.1 link to install the package
  5. Select the BasicAuth package and click the Start buttonSitecom_BasicAuth_install_02.png
  6. Close your browser, reopen it and try to login again. You are presented with a login dialogSitecom_BasicAuth_install_03.png