• September 22, 2020, 03:14:46 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: [1] 2

Author Topic: Security broken on dns-323  (Read 15586 times)

puterboy

  • Guest
Security broken on dns-323
« on: October 06, 2008, 07:15:18 PM »

WARNING: any user with access to your local network can *easily* READ any file on your dns-323 over any web browser.

All the login and user/group Network Access restrictions are misleading at best since ANYBODY can read ANY file on the dns-323 by simply typing in from any web browser:
   http://<address or name of dns-323/<path-to-file>

Specifically, for files on samba shares, you would typically type in something like:
  http://<address or name of dns-323>/mnt/HD_a2/<path minus the Volume_1 prefix>

To see the system files (including the password file), you would type in for example:
  htp://<address or name of dns-323>/etc/passwd

THIS IS PERHAPS ONE OF THE BIGGEST SECURITY HOLES I HAVE EVER SEEN IN ANY CONSUMER DEVICE.
Anybody can read any file just by using a standard browser on the same intranet. This simplest of all possible exploits
- Does not require access to the dns-323 hardware
- Does not require knowledge of any passwords or administrator access
- Does not require any obscure (or even obvious) crypto knowledge
- Does not require any hacking programs
- Does not require any computationally intensive decryption or password cracking

D-link is almost definitely aware of this problem and will most likely take down this post (and maybe even cancel my account) rather than fix the problem but it is CRITICAL that all users be made aware of this SERIOUS security flaw and then proceed to install and use the DNS-323 at their own risk

NOTE: I really love this machine -- it offers great functionality at a great price and is open source. However, it would be irresponsible for me not to warn users of this problem and even more irresponsible for d-link not to fix the problem.
Logged

fordem

  • Level 10 Member
  • *****
  • Posts: 2168
Re: Security broken on dns-323
« Reply #1 on: October 07, 2008, 05:52:29 AM »

For heaven's sake - it's a consumer device.

How many homes do you know that require bulletproof security?
How many homes do you know that share a single computer with no password protection?

Do allow me to point out a few of the security flaws you missed ....

1) the DNS-323 is physically small and easily concealed (wait - is that a flaw?) - what's to stop someone from picking it up and taking it away, with all of the data/
2) the DNS-323 has no security cable slot, so it cannot be locked down to prevent #1 above from happening
3) the DNS-323 has no way to physically secure the disks inside so even if we could secure it (see #1 & #2 above), a perp could just pop the front and yank the disks.
4) the DNS-323 has no encrytion, so any perp who got past #1, #2 & #3 above could browse your disks at leisure.

For crying out loud - what do you want for your $200 ???
Logged
RAID1 is for disk redundancy - NOT data backup - don't confuse the two.

puterboy

  • Guest
Re: Security broken on dns-323
« Reply #2 on: October 07, 2008, 09:02:01 AM »

Fordem, for heaven's sake, do you know the difference between physical security and data/network security. Your comparisons are all red herrings.

No one is expecting d-link to provide hardened physical security at this price point. However it is a reasonable expectation for d-link to provide a level of data access security that is comparable to that available on similarly priced (or even cheaper) consumer/SOHO equipment such as cell phones, PDAs and Windows Home -- i.e. that potentially private data is not readily viewable by prying eyes without at least some significant level of effort or physical invasion.

Almost all hardware on the market except perhaps the highest end military-grade gear is always vulnerable if a user can physically access the hardware unless the data itself is encrypted and even then there are almost always physical attacks that will allow you to intercept the data in an unencrypted format provided you have the right equipment.

For that reason, almost all businesses (and to some degree even many home offices) secure their physical servers to some degree. On the other hand, most businesses (and again even many homes) reasonably assume that individual users can be given access to the LAN without giving them unhindered access to private data.

In my simple home setup, I have my linux server and dns-323 in my home office. My kids (or house guests) do not have unfettered access to the office. Even if they were to access my office, I think they would realize that they would be doing something really wrong (and likely get caught) if they started to remove disks and cables from the dns-323.

On the other hand, it is much easier for them to just paste a link in their browser from the privacy of their own rooms. And much easier to morally justify such behaviors since those files are then just hanging out in the open and it probably wouldn't feel to them like "stealing" or invasion of privacy. Heck, there isn't any indication even that the data may be private -- it is like leaving your house wide open with a welcome sign.

As another analogy. If you have your paycheck lying face up in a public area, I might be tempted to look at your salary even though I know it is not my business. On the other hand, I would be far less likely to go to your office and open up your filing cabinets to snoop for your paychecks.

Finally, why go to all the bother of setting up and advertising R/W security if it is meaningless. In fact, it is arguably easier to read a file using the direct url then to have to browse to (or mount) a SAMBA share.
At best this is an embarrassing instance of programming negligence since even the lowest end Windows OS, PDA, or even cell phone has better security.

The reality is that the fix is EASY. We are not asking for NSA-level security and encryption. We are not even asking for current linux (or windows) level security. Just something that puts up the most minimal barrier to prying eyes.

The real issue here now is that D-Link has known about this problem for about 6 months and has not released any fixes. They continue to sell the device advertising R/W user/group access without any disclaimers despite knowing that any (read) protection is purely illusory. If they are really intending just to sell a NAS version of an external hard drive then they should advertise it as such and not include advertising and features that imply even a minimal level of user/group security.

Again, I think the dns-323 is a great product at a great price and I am not asking d-link to invest millions of dollars in the latest spook-level security protection. In summary, I am just pointing out the following points:
- The security hole is severe, pervasive, and easily exploitable without any special tools, knowledge, or access
- There are many potential fixes which are easy, well-know, and would require minimal cost in coding and testing (a rudimentary fix would require only a few lines of code)
- Despite all the above, D-link has done nothing to solve the problem in the field other than to note that they are working on it

If you cannot follow the above logic, then I begin to wonder whether you are a paid shill for d-link or whether you just simply don't understand the nature of the issue, or whether you just like being argumentative.

Logged

ECF

  • Poweruser
  • Level 11 Member
  • *
  • Posts: 2692
Re: Security broken on dns-323
« Reply #3 on: October 07, 2008, 01:25:21 PM »

This security hole will be fixed in the upcoming firmware release.
Logged
Never forget that only dead fish swim with the stream

puterboy

  • Guest
Re: Security broken on dns-323
« Reply #4 on: October 07, 2008, 02:51:12 PM »

Any ETA on the next release?
Personally, I would rather see major security holes (like this) and bug fixes (like the BT file non-erasure) solved asap rather than waiting for a big new release bundled with new functionality which may or may not be critical.
Logged

ECF

  • Poweruser
  • Level 11 Member
  • *
  • Posts: 2692
Re: Security broken on dns-323
« Reply #5 on: October 07, 2008, 03:10:23 PM »

Unfortunate I do not have a release date. Beta firmware is being tested and if passed it will be released as soon as possible.
Logged
Never forget that only dead fish swim with the stream

mig

  • Level 3 Member
  • ***
  • Posts: 217
Re: Security broken on dns-323
« Reply #6 on: October 07, 2008, 04:08:49 PM »

Any ETA on the next release?
Personally, I would rather see major security holes (like this) and bug fixes (like the BT file non-erasure) solved asap rather than waiting for a big new release bundled with new functionality which may or may not be critical.

Perhaps the frequency of previous firmware release dates might help to set your expectations.

Firmware     1.05      05/13/2008
Firmware    1.04     01/30/2008
Firmware    1.03     04/05/2007
Firmware    1.02b 02/06/2007
Firmware    1.02     12/18/2006
Firmware    1.01b 10/24/2006
Firmware    1.00     08/09/2006 Shipping Firmware
Logged

puterboy

  • Guest
Re: Security broken on dns-323
« Reply #7 on: October 07, 2008, 04:59:36 PM »

Unfortunate I do not have a release date. Beta firmware is being tested and if passed it will be released as soon as possible.

Well - I am glad that you folks are working on it.
And nothing I have said should be interpreted as taking away from what otherwise is a very nicely designed product.

BTW, my 3 favorite aspects of the product are:
1. Solid physical design -- doesn't look or feel like a cheap piece of plastic
2. Open source nature of the product allowing it to be used by a wide range of users and uses -- anything from minor changes that pose little risk and don't mess with the firmware to bolder changes where anything goes. (I only wish that D-link would take back more from the community which has developed some terrific improvements in existing functionality in addition to new extensions -- there are many talented developers out here who are more than willing to contribute improvements without direct cost to d-link)
3. Competitively priced
Logged

chuckv

  • Level 2 Member
  • **
  • Posts: 88
Re: Security broken on dns-323
« Reply #8 on: October 07, 2008, 05:08:50 PM »

Unfortunate I do not have a release date. Beta firmware is being tested and if passed it will be released as soon as possible.

i say take your time DLink in respect to getting the new update rolled out. i (as i am sure majority of us) can wait for a more secure / stable release

regardless of flaws identified, it is my opinion, it is fit-for-use at a domestic level.. as intented

cheers
Logged

fordem

  • Level 10 Member
  • *****
  • Posts: 2168
Re: Security broken on dns-323
« Reply #9 on: October 07, 2008, 05:45:01 PM »

Fordem, for heaven's sake, do you know the difference between physical security and data/network security. Your comparisons are all red herrings.

I don't see a need to differentiate - the end result is the same - if someone wants your data, he'll get it.  Too many people focus on network security only to have their data walk out of the door on a diskette (old days) or USB flash drive.

Sure Windows "home" as you term it, can be configured with a greater level of security - but in reality how often does that happen?

Tell me - isn't fiddling with URLs specialized knowledge ?- do you think that the average family member will accidentally stumble across the URL?  It's not like you simply click on a share in My Network Places and get access - you have to go search for it - it would be exactly the same as your going into my office and snooping in my unlocked filing cabinets, would it not?
Logged
RAID1 is for disk redundancy - NOT data backup - don't confuse the two.

jswashburn

  • Guest
Re: Security broken on dns-323
« Reply #10 on: October 07, 2008, 08:31:29 PM »

Quote
I don't see a need to differentiate - the end result is the same - if someone wants your data, he'll get it.  Too many people focus on network security only to have their data walk out of the door on a diskette (old days) or USB flash drive.

With FTP support, it might have been nice to have one in the data center with quick internet access. Ya...looks like that aint gonna happen anytime soon. I suppose one could just restrict port 21 traffic to the unit. But the point is having software security developed is more important then hardware security. Unless of course you feel it necessary to create your own Kensington security slot with a dremel tool.
« Last Edit: October 07, 2008, 08:38:51 PM by jswashburn »
Logged

puterboy

  • Guest
Re: Security broken on dns-323
« Reply #11 on: October 08, 2008, 01:41:47 AM »

I don't see a need to differentiate - the end result is the same - if someone wants your data, he'll get it.  Too many people focus on network security only to have their data walk out of the door on a diskette (old days) or USB flash drive.
I see a big difference between network security vs. physical security. Just like most people would never steal a physical CD but barely think twice about downloading a song, I believe that most people would not break into an office and physically extract data from a machine but would have few moral qualms about typing in a url into their browser to look at someone's private data.  Now true - professional data thieves will not care either way. But prying eyes will find using the url both easier and less morally "difficult" than physically violating your security -- and in the SOHO situation that is usually the primary purpose of accounts -- to keep nosy family, friends, and coworkers from snooping.

Sure Windows "home" as you term it, can be configured with a greater level of security - but in reality how often does that happen?
Hmmm... all the families that I know tend to use passwords. Parents don't want their kids in their data and kids don't want their siblings (or others) reading their private messages. We also lock our doors where we live but maybe we shouldn't since after all a thief could always come through the window....

Tell me - isn't fiddling with URLs specialized knowledge ?- do you think that the average family member will accidentally stumble across the URL?  It's not like you simply click on a share in My Network Places and get access - you have to go search for it -
I wouldn't call typing a url into a browser specialized knowledge. All you need is for one kid to tell his friends or do some browsing. And it's not like the url has a long encrypted string... in most cases it's just the share name/path concateneated with /mnt/HD_a2 or something. And I could imagine a Linux user almost by accident typing in "<machine name>/etc/passwd" and discovering an interesting surprise....

it would be exactly the same as your going into my office and snooping in my unlocked filing cabinets, would it not?
No see above... people tend to have much higher moral inhibitions to physical invasions vs. virtual invasions. Legally, breaking into an office and unlocking filing cabinets is a criminal act. It is not clear to me what crime one commits by typing in a url and reading someone else's data so long as one doesn't violate copyright laws... Downloading itself is not a crime but breaking & entering is a crime in and of itself.

I really don't see the point of prolonging this thread anymore. I get the point. You don't value network security in the SOHO environment and you don't see much virtue in even basic level network security in the absence of ironclad physical security. You also seem to believe that consumer manufacturers have no responsibility to deliver on the security they promise in their marketing materials. Well you are welcome to your perspective. But you need to accept the fact that others may have different situations or priorities.

My inlaws have 3 locks on their front door while my brother leaves his doors and windows wide open -- but they are different people, with different perspectives, living in different circumstances. Similarly, you are welcome to keep your home network as secure or insecure as you want.

And when D-link eventually gets around to releasing a new Firmware, feel free not to waste your time upgrading for such a useless feature as fixed security. But please don't be so arrogant as to try to tell others what level of security they either need or are allowed to expect in their SOHO environment.

In any case, I'm done with this thread unless someone has something constructive to add that will expedite a solution.
Logged

andrey

  • Level 2 Member
  • **
  • Posts: 27
Re: Security broken on dns-323
« Reply #12 on: October 13, 2008, 03:58:23 PM »

puterboy,

judging from your posts here and in another thread you're one paranoid person. Relax, your issues have been noted by d-link and are being worked. Please stop writing 3-pages flames to any user who responds to your posts.
Logged

puterboy

  • Guest
Re: Security broken on dns-323
« Reply #13 on: October 15, 2008, 03:55:44 PM »

puterboy,

judging from your posts here and in another thread you're one paranoid person. Relax, your issues have been noted by d-link and are being worked. Please stop writing 3-pages flames to any user who responds to your posts.

Aubrey - take a chill pill - if you like to keep your house and car unlocked, feel free to do so. If you think taking six months to fix a major security hole is great responsiveness then send your fan-boy compliments to d-link customer service -- I'm sure they would appreciate it!
Logged

chuckv

  • Level 2 Member
  • **
  • Posts: 88
Re: Security broken on dns-323
« Reply #14 on: October 15, 2008, 04:45:06 PM »

i think he just wants the last say, regardless of the outcome

just my 2c
Logged
Pages: [1] 2