Iomega NAS A300U security and inter-operability issues

["Keith R. Watson" <keith.watson () gtri gatech edu>]

I recently tested an Iomega NAS A300U and discovered that it has several 
security and inter-operability issues as outlined in the following.

Affected Systems:

            Device: Iomega NAS A300U
               O/S: FreeBSD 3.5 (this has not been verified)
   Manager Version: Iomega NAS Manager 1.2 (P0-080102)
        Web Server: Apache v1.3.26
   CIFS/SMB Server: UNIX Samba v2.0.10

              NOTE: The vulnerabilities described may apply to
                    other models of the Iomega NAS line. It is
                    recommended that you test your system and
                    report any vulnerabilities to Iomega.

                    Iomega verified that the NAS has the latest
                    version of the O/S installed.


Un-Affected Systems:

   Unknown - The Iomega NAS line is based on UNIX or Windows.
   Only the A300U (UNIX based) was tested. The vulnerabilities
   described may apply to other models of the Iomega NAS line.
   It is recommended that you test your system and report any
   vulnerabilities to Iomega.


Details:

   Clear Text IDs and Passwords When Using NAS Administration
   Web Page:

      The Iomega NAS A300U is administered via a web page. The
      documentation states that this can only be done using
      Microsoft Internet Explorer. A sniff of the administrative
      traffic revealed that all the administrative web pages are
      in clear text including the admin logon. Anyone with a sniffer
      can capture the administrator's user ID and password, and the
      user ID and password of any accounts that are created or
      modified.

      The "Iomega NAS Family Brochure" states the following:

         "The Iomega NAS Discovery Management
          Tool provides an intuitive interface with remote
          management flexibility and convenience.

          Encrypted login for the administrator
          protects against unauthorized access.

          Access and manage all client data, NAS
          backup and restore preferences from"
          anywhere on the network.



   CIFS/SMB Mounts Susceptible to Man-In-The-Middle Attack:

      The Iomega NAS supports drive mounts using CIFS/SMB. By
      default the NAS will allow plain text LANMAN authentication.
      This makes the NAS susceptible to man-in-the-middle
      attacks. The session can be hijacked and user IDs and
      passwords can be compromised. The Iomega NAS A300U does not
      provide an option for disabling plain text authentication.



   FTP Can't be Disabled:

      The Iomega NAS A300U allows access to the shared directories
      via FTP. FTP access to the shared directories can be disabled,
      however, this does not disable FTP access to the NAS but only
      to the shared directories.

      When a user connects to the NAS using FTP the FTP root
      directory is the user's home directory. Any shared directories
      that have FTP enabled appear as sub directories of the user's
      home directory. When FTP access to a shared directory is
      disabled, then that directory no longer appears in the user's
      home directory.

      FTP access to shared directories can be disabled on a per
      share basis, but the FTP service can't be disabled.

      IT departments wishing to disable FTP will not be able to do so.
      When FTP access is disabled on all shared directories, users
      can still connect to their home directories.

      The interaction between storage quotas and content stored
      in a user's home directory via FTP was not tested.



   Interferes with Windows Browsing:

      The Iomega NAS A300U participates in Windows Browser elections.
      The NAS is configured in such a way that it always(1) wins the
      election even though multiple Windows servers exist on the
      same subnet.

      The fact that the NAS won the browser election would not normally
      be a problem except that the NAS does not correctly populate the
      browse list. This breaks any services that depend on browsing.
      In our case it disabled our Intel LanDesk server's ability
      to administer machines in our Windows NT domain.

      The NAS cannot be configured to disable participation
      in browser elections, and since it doesn't populate the
      browse list correctly it will disable any services that
      rely on Windows browsing.

         (1) The NAS can authenticate users against a Windows NT
             Domain that it has joined. To join an Active Directory
             domain the Active Directory must be running in mixed
             mode. In order to join a Windows domain the NAS must
             also be on the same subnet as the domain's Windows NT
             Primary Domain Controller or Active Directory PDC
             Emulator. So I put the NAS on the same subnet as our
             servers.

             The subnet that the NAS was tested on has over eleven
             Windows servers including a Windows Backup Domain
             Controller, a Windows Active Directory server, a Windows
             Active Directory PDC Emulator, a Windows Active Directory
             DNS server, several Exchange servers, a Blackberry
             Enterprise server, an Intel LanDesk server and several
             other test servers.

             Since there were such a large number of servers on the
             subnet I felt that the problem was significant enough
             to warrant an alert without determining the conditions
             under which the NAS could lose a browser election.

             It is believed that the NAS won the browser election
             because of the way Samba is configured. There isn't any
             administrative option for changing Samba browser behavior.



Fixes and Work Arounds:

   Iomega was notified of the problems on October 17, 2002. Iomega
   stated that they are working on the problem but could not give
   an estimated time for completion.

   As an interim solution I tested the following:

      1. Placed the NAS and an administrative workstation behind a NAT
         firewall.

      2. Specifically blocked HTTP and FTP access to the NAS and
         only forwarded the ports required for the services
         I wanted visible to users.

      3. This also eliminated the problem of the NAS always winning
         browser elections and interfering with other Windows
         services.



   Cons for the proposed work around:

      1. It requires a dedicated NAT firewall and administrative
         workstation.

      2. The NAS will not be able to join a Windows NT domain
         or an Active Directory Domain running in mixed mode so
         it will have to authenticate users against the local
         accounts database on the NAS instead of Windows domain
         accounts.



Contact Information:

   Keith R. Watson                  GTRI/ITD
   Systems Support Specialist III   Georgia Tech Research Institute
   keith.watson () gtri gatech edu     Atlanta, GA  30332-0816
   404-894-0836
-------------

Keith R. Watson                        GTRI/ITD
Systems Support Specialist III         Georgia Tech Research Institute
keith.watson () gtri gatech edu           Atlanta, GA  30332-0816
404-894-0836