A security vulnerability in the ReadyNAS Surveillance Application can be exploited by unauthenticated, remote attackers to gain root access to Netgear NAS systems, Sysdream Labs researcher Nicolas Chatelain has found.
ReadyNAS Surveillance is network video recording (NVR) software that installs directly to a ReadyNAS storage device and allows companies to set up a surveillance network with different types of IP cameras.
“Because the ReadyNAS Surveillance cgi_system cgi application doesn’t check the user-provided ‘bfile’ POST parameter and does not check if the user is authenticated, it’s possible to execute arbitrary commands as root. It’s also possible, without RCE, to download the ReadyNAS Surveillance configuration files,” the researcher explained in a post on the Full Disclosure mailing list, which also contains PoC exploit code.
Chatelain has tried to contact Netgear to share this information for months, and finally succeeded in late January.
The company’s first reaction was to publish a security vulnerability announcement and offer a temporary mitigation for the problem: they instructed users to disable port forwarding rules for their ReadyNAS devices running the app.
They finally published a new version of the ReadyNAS Surveillance app that fixes the vulnerability earlier this month. Users are advised to update to this latest version as soon as possible.