lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20120618153813.07cee9db@sec-consult.com>
Date: Mon, 18 Jun 2012 15:38:13 +0200
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: bugtraq <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>
Subject: SEC Consult SA-20120618-0 :: Western Digital ShareSpace WEB GUI
 Sensitive Data Disclosure

SEC Consult Vulnerability Lab Security Advisory < 20120618-0 >
=======================================================================
              title: WD ShareSpace WEB GUI Sensitive Data Disclosure
            product: WD ShareSpace network storage system
 vulnerable version: WD ShareSpace <= v2.3.02 (D and E series)
      fixed version: none
             impact: High
           homepage: http://support.wdc.com/product/download.asp?groupid=901&sid=107&lang=en
              found: 2012-01-31
		 by: V. Paulikas 
                     SEC Consult Vulnerability Lab 
                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
WD ShareSpace is high-speed network-attached storage system with capacities up
to 8 TB and a space-saving footprint gives you all the benefits of a big time
data center without the need for a big time IT department. Perfect for
centralizing and sharing data and multimedia files on a small office or home
network.

Source: http://www.wdc.com/wdproducts/library/AAG/ENG/4178-705023.pdf



Vulnerability overview/description:
-----------------------------------
WD ShareSpace network storage system has a built-in WEB GUI that is used to
administer the ShareSpace device. The built-in WEB GUI is prone to a sensitive
data disclosure due to an improper configuration of access rights of the
configuration file config.xml. By directly accessing the config.xml file
without authentication it is possible to obtain system's configuration data,
which includes network settings, shared folder names, SMB users and hashed
passwords, administrator's credentials, etc.


Proof of concept:
-----------------
The vulnerability is exploited by accessing the config.xml file directly with
a browser.

PoC URL has been removed as no vendor patch is available.


Vulnerable / tested versions:
-----------------------------
WD ShareSpace v2.3.01



Vendor contact timeline:
------------------------
2012-02-17: Contacting vendor through help center
            (http://wdc.custhelp.com/app/ask/).
2012-02-24: Vendor response, issue is being forwarded to the appropriate
            product development team (Level 2 team as by WD) for review and
            confirmation. Case 120217-002268 opened.
2012-03-02: Vendor response, issue has been reviewed, additional information
	    required.
2012-03-07: Providing additional information regarding the vulnerability.
2012-03-12: Vendor response, vulnerability escalated to their engineering team
            to verify and fix if possible.
2012-04-19: Asking if the vulnerability was fixed because of long response
            time.
2012-04-24: Vendor response, vulnerability not resolved.
2012-05-03: Vendor response, firmware update available, not related to
	    vulnerability
2012-05-07: Asking vendor to recheck if firmware update really
	    solves the problem.
2012-05-09: Vendor confirms, that the new firmware does not solve the problem.
2012-05-10: Asking vendor for more indepth research of the issue
2012-05-15: Vendor confirms the issue: ShareSpace running firmware version
            2.3.02 (D and E series) is affected.
	    Vendor disagrees that it's a security vulnerability.
2012-05-31: Informing vendor about the release of the advisory on 2012-06-18.
            No answer.
2012-06-11: Informing vendor once more about the release of advisory on
	    2012-06-18. No answer.
2012-06-18: No further response from vendor. Advisory published according to
            the SEC Consult's responsible disclosure policy.



Solution:
---------
No patch available.


Workaround:
-----------
Allow access to the administrative interface only from trusted networks.



Advisory URL:
-------------
https://www.sec-consult.com/en/advisories.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com

EOF V. Paulikas / @2012

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ