CVE-2018-14709
published 2018-12-03CVE-2018-14709: Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token…
PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.91%
77.2th percentile
Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drobo | 5n2_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
44 52 49 4e 45 54 54 4d 07 01 00 00
bytes↗
44 52 49 4e 45 54 54 4d 0a 01 00 00
- →Detect NASd protocol handshake by matching the static 8-byte magic string 'DIRNETTM' (44 52 49 4e 45 54 54 4d) at the start of TCP payloads on ports 5000 and 5001. ↗
- →Alert on outbound connections from a Drobo NAS to ftp://updates.drobo.com on port 21, which may indicate remote app installation being triggered by an attacker. ↗
- →Detect command injection via the DroboAccess web interface by monitoring HTTP GET requests to /DroboAccess/delete_user containing shell metacharacters (e.g., single-quote followed by semicolon) in the username parameter. ↗
- →Alert on telnetd or bind-shell processes spawned on port 8383 on Drobo NAS devices, which is the attacker's chosen backdoor port for both the 'popit' NASd exploit and the DroboAccess command injection. ↗
- →Monitor TCP connections to port 5001 (NASd command port) from external/untrusted hosts; the protocol requires no real authentication and allows arbitrary command execution. ↗
- ·The exploit affects Drobo 5N2 firmware version 4.1.1 and lower; newer firmware versions were suspected vulnerable at time of writing but unverified. ↗
- ·The stat port (5000) must be connected first before the command port (5001) will function; detection/blocking of port 5000 may be sufficient to break the exploit chain. ↗
- ·The device serial number is leaked unauthenticated from the stat port (5000) and is required to craft valid command messages; exposure of port 5000 to untrusted networks enables full exploitation. ↗
- ·Most of the Drobo product line appears to be vulnerable beyond the 5N2, though this was not verified by the researchers. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/156710/Drobo-5N2-4.1.1-Remote-Command-Injection.htmlhttps://blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fchttp://packetstormsecurity.com/files/156710/Drobo-5N2-4.1.1-Remote-Command-Injection.htmlhttps://blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fc
2018-12-03
Published