I recently tested an Iomega NAS A300U and discovered that it has several
security and inter-operability issues as outlined in the following.
Affected Systems:
Device: Iomega NAS A300U
O/S: FreeBSD 3.5 (this has not been verified)
Manager Version: Iomega NAS Manager 1.2 (P0-080102)
Web Server: Apache v1.3.26
CIFS/SMB Server: UNIX Samba v2.0.10
NOTE: The vulnerabilities described may apply to
other models of the Iomega NAS line. It is
recommended that you test your system and
report any vulnerabilities to Iomega.
Iomega verified that the NAS has the latest
version of the O/S installed.
Un-Affected Systems:
Unknown - The Iomega NAS line is based on UNIX or Windows.
Only the A300U (UNIX based) was tested. The vulnerabilities
described may apply to other models of the Iomega NAS line.
It is recommended that you test your system and report any
vulnerabilities to Iomega.
Details:
Clear Text IDs and Passwords When Using NAS Administration
Web Page:
The Iomega NAS A300U is administered via a web page. The
documentation states that this can only be done using
Microsoft Internet Explorer. A sniff of the administrative
traffic revealed that all the administrative web pages are
in clear text including the admin logon. Anyone with a sniffer
can capture the administrator's user ID and password, and the
user ID and password of any accounts that are created or
modified.
The "Iomega NAS Family Brochure" states the following:
"The Iomega NAS Discovery Management
Tool provides an intuitive interface with remote
management flexibility and convenience.
Encrypted login for the administrator
protects against unauthorized access.
Access and manage all client data, NAS
backup and restore preferences from"
anywhere on the network.
CIFS/SMB Mounts Susceptible to Man-In-The-Middle Attack:
The Iomega NAS supports drive mounts using CIFS/SMB. By
default the NAS will allow plain text LANMAN authentication.
This makes the NAS susceptible to man-in-the-middle
attacks. The session can be hijacked and user IDs and
passwords can be compromised. The Iomega NAS A300U does not
provide an option for disabling plain text authentication.
FTP Can't be Disabled:
The Iomega NAS A300U allows access to the shared directories
via FTP. FTP access to the shared directories can be disabled,
however, this does not disable FTP access to the NAS but only
to the shared directories.
When a user connects to the NAS using FTP the FTP root
directory is the user's home directory. Any shared directories
that have FTP enabled appear as sub directories of the user's
home directory. When FTP access to a shared directory is
disabled, then that directory no longer appears in the user's
home directory.
FTP access to shared directories can be disabled on a per
share basis, but the FTP service can't be disabled.
IT departments wishing to disable FTP will not be able to do so.
When FTP access is disabled on all shared directories, users
can still connect to their home directories.
The interaction between storage quotas and content stored
in a user's home directory via FTP was not tested.
Interferes with Windows Browsing:
The Iomega NAS A300U participates in Windows Browser elections.
The NAS is configured in such a way that it always(1) wins the
election even though multiple Windows servers exist on the
same subnet.
The fact that the NAS won the browser election would not normally
be a problem except that the NAS does not correctly populate the
browse list. This breaks any services that depend on browsing.
In our case it disabled our Intel LanDesk server's ability
to administer machines in our Windows NT domain.
The NAS cannot be configured to disable participation
in browser elections, and since it doesn't populate the
browse list correctly it will disable any services that
rely on Windows browsing.
(1) The NAS can authenticate users against a Windows NT
Domain that it has joined. To join an Active Directory
domain the Active Directory must be running in mixed
mode. In order to join a Windows domain the NAS must
also be on the same subnet as the domain's Windows NT
Primary Domain Controller or Active Directory PDC
Emulator. So I put the NAS on the same subnet as our
servers.
The subnet that the NAS was tested on has over eleven
Windows servers including a Windows Backup Domain
Controller, a Windows Active Directory server, a Windows
Active Directory PDC Emulator, a Windows Active Directory
DNS server, several Exchange servers, a Blackberry
Enterprise server, an Intel LanDesk server and several
other test servers.
Since there were such a large number of servers on the
subnet I felt that the problem was significant enough
to warrant an alert without determining the conditions
under which the NAS could lose a browser election.
It is believed that the NAS won the browser election
because of the way Samba is configured. There isn't any
administrative option for changing Samba browser behavior.
Fixes and Work Arounds:
Iomega was notified of the problems on October 17, 2002. Iomega
stated that they are working on the problem but could not give
an estimated time for completion.
As an interim solution I tested the following:
1. Placed the NAS and an administrative workstation behind a NAT
firewall.
2. Specifically blocked HTTP and FTP access to the NAS and
only forwarded the ports required for the services
I wanted visible to users.
3. This also eliminated the problem of the NAS always winning
browser elections and interfering with other Windows
services.
Cons for the proposed work around:
1. It requires a dedicated NAT firewall and administrative
workstation.
2. The NAS will not be able to join a Windows NT domain
or an Active Directory Domain running in mixed mode so
it will have to authenticate users against the local
accounts database on the NAS instead of Windows domain
accounts.
Contact Information:
Keith R. Watson GTRI/ITD
Systems Support Specialist III Georgia Tech Research Institute
keith.watson@gtri.gatech.edu Atlanta, GA 30332-0816
404-894-0836
-------------
Keith R. Watson GTRI/ITD
Systems Support Specialist III Georgia Tech Research Institute
keith.watson@gtri.gatech.edu Atlanta, GA 30332-0816
404-894-0836
