raidsonic nas-4220 crypt disk key leak (stored in plain onunencrypted partition)

2008.03.20
Credit: Collin Mulliner
Risk: Medium
Local: No
Remote: No
CVE: CVE-2008-1431
CWE: CWE-310


CVSS Base Score: 2.1/10
Impact Subscore: 2.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Manufacturer: RaidSonic (www.raidsonic.de) Device: NAS-4220-B Firmware: 2.6.0-n(2007-10-11) Device Type: end user grade NAS box OS: Linux 2.6.15 Architecture: ARM Designed by: Storm Semiconductor Inc (www.storlinksemi.com) Problem: Hard disk encryption key stored in plain on unencrypted partition. Time line: Found: 09. March 2008 Reported: 09. March 2008 Disclosed: 16. March 2008 Summary: The NAS-4220-B offers disk encryption through it's web interface. The key used for encrypting the disk(s) is stored on a unencrypted partition. Therefore one can extract the encryption key by removing the disk from the NAS and reading the value from the unencrypted partition. The key itself is stored in a file in plain (base64 encoded). Therefore the NAS-4220 crypt disk support can not be considered secure. Details: The NAS-4220-B can hold two SATA disks. Disk are encrypted through a loop back device using AES128. The problem came to my attention when I could access the NAS after reboot without suppling the hard disk key. The key is stored in /system/.crypt, "/system" is a small configuration partition on the same disk that holds the encrypted partition. The system partition is created by the system software running on the NAS-4220. The configuration partition of the second hard disk is not mounted by default but also contains the .crypt file holding the key for the encrypted partition on the same disk. Accessing the key (key value is the example I used): $ cat /system/.crypt MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= key in plain key in base64 12345678901234567890 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA= Base64 decode: #!/usr/bin/python from base64 import * print b64decode("MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=") Reported by: Collin Mulliner <collin(AT)betaversion.net > Collin's Advisories: http://www.mulliner.org/security/advisories/ -- Collin R. Mulliner <collin (at) betaversion (dot) net [email concealed]> BETAVERSiON Systems [www.betaversion.net] info/pgp: finger collin (at) betaversion (dot) net [email concealed] If you have to run heating in winter, you don't own enough computers.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top