cbcvebase.
CVE-2018-14709
published 2018-12-03

CVE-2018-14709: Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token…

PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.91%
77.2th percentile
Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation.

Affected

1 ranges
VendorProductVersion rangeFixed in
drobo5n2_firmware

Detection & IOCsextracted from sources · hover to see the quote

port5000
port5001
port8383
commandtelnetd -l $SHELL -p 8383
command/usr/sbin/telnetd -l /bin/sh -p 8383
url/DroboAccess/delete_user?username=test';/usr/sbin/telnetd -l /bin/sh -p 8383
bytes
44 52 49 4e 45 54 54 4d 07 01 00 00
bytes
44 52 49 4e 45 54 54 4d 0a 01 00 00
  • Detect NASd protocol handshake by matching the static 8-byte magic string 'DIRNETTM' (44 52 49 4e 45 54 54 4d) at the start of TCP payloads on ports 5000 and 5001.
  • Alert on outbound connections from a Drobo NAS to ftp://updates.drobo.com on port 21, which may indicate remote app installation being triggered by an attacker.
  • Detect command injection via the DroboAccess web interface by monitoring HTTP GET requests to /DroboAccess/delete_user containing shell metacharacters (e.g., single-quote followed by semicolon) in the username parameter.
  • Alert on telnetd or bind-shell processes spawned on port 8383 on Drobo NAS devices, which is the attacker's chosen backdoor port for both the 'popit' NASd exploit and the DroboAccess command injection.
  • Monitor TCP connections to port 5001 (NASd command port) from external/untrusted hosts; the protocol requires no real authentication and allows arbitrary command execution.
  • ·The exploit affects Drobo 5N2 firmware version 4.1.1 and lower; newer firmware versions were suspected vulnerable at time of writing but unverified.
  • ·The stat port (5000) must be connected first before the command port (5001) will function; detection/blocking of port 5000 may be sufficient to break the exploit chain.
  • ·The device serial number is leaked unauthenticated from the stat port (5000) and is required to craft valid command messages; exposure of port 5000 to untrusted networks enables full exploitation.
  • ·Most of the Drobo product line appears to be vulnerable beyond the 5N2, though this was not verified by the researchers.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.