Linksys NSLU2 Security Flawed?

Discussion in 'other security issues & news' started by Turpster, Mar 22, 2006.

Thread Status:
Not open for further replies.
  1. Turpster

    Turpster Registered Member

    Joined:
    Sep 16, 2004
    Posts:
    31
    Location:
    Mercersburg, PA
    Hello Everyone,

    I have several Linksys Network Storage Links - NSLU2 (Each Network Link has two USB Hard Drives). They share a LAN with eight Windows XP Pro SP2 computers. Each NSLU2 is set-up with full security and users are assigned long user names and complicated passwords. Everytime a user connects via one of the Windows XP Machines they are prompted for their user name and password - as I wanted. So far, so good.

    Here's the rub. I set up a SuSe 10.0 Box for testing (do not know a lot about linux) and when I attempted to access one of these network NSLU2 Drives using the built in "Add a Network Folder" wizzard - I got right in! No user name or password prompt - nothing. I was able to read and write to the drives - basically nothing to stop me. The user name and password I was using to login to the SuSe box was new and never added to the NSLU2 devices (so there is no auto login thing going on here).

    I am needless to say shocked, although I guess not surprised. Had I never been playing with linux - I would still not know how open these devices are as this network is on the internet with a static IP - Luckly there is a hardware firewall between them and the internet.

    Has anyone had such a problem; where linux can simply bypass security like this. Like I said, I know little about linux and if I can just walk pass a device that is supposed to be secure what could I do if I knew more about linux. NOT THAT I AM BLAMING LINUX, as it is obviously a Linksys problem and I have contacted them and am waiting a reply. If I am not mistaken the NSLU2 is a device with linux embedded in it - but I am not sure about that.

    ...and yes, the Windows XP Pro SP2 boxes are still prompted for their user names and passwords.

    Well, I thought I would warn everyone about this and see if anyone else has had this problem and maybe a solution.

    Thanks all!
     
  2. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Did you set up the accounts on both the StorageLink and Linux with the same username and password? If you set your system's logon to the same as the account on the StorageLink, it should actually log in automatically without prompting you for a username and password.

    There were also some security issues with the firmware that comes with it, have you updated the firmware to the latest?
     
  3. Turpster

    Turpster Registered Member

    Joined:
    Sep 16, 2004
    Posts:
    31
    Location:
    Mercersburg, PA
    No - different users, Linux user was not added to the storage link at all. So, the storage link should have prompted me for a user name and password when I tried to access it throug linux since it had no record of the user. But it did not - it let me right in with full access - YIKES!

    Yes, firmware is latest.
     
  4. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    That is strange, I may have to try it myself when I get some time. If Linksys gets back to you before anyone else, let me know?
     
  5. Turpster

    Turpster Registered Member

    Joined:
    Sep 16, 2004
    Posts:
    31
    Location:
    Mercersburg, PA
    Yeah... it is really strange. Esp. when you consider I was just playing with SuSe (when I discovered this) just to see how SuSe worked - not trying to get SuSe to do anything that it could not do with the default settings.

    I will post back when Linksys contacts me. To date, I have heard nothing - but I only reported it yesterday - So, I will give them (linksys support) a little more time before I call my direct rep at Linksys.
     
    Last edited: Mar 23, 2006
  6. Turpster

    Turpster Registered Member

    Joined:
    Sep 16, 2004
    Posts:
    31
    Location:
    Mercersburg, PA
    I decided to shoot an email over to my regional rep at Linksys anyways....

    Will let you no what I find out.
     
  7. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Nice, thanks for the heads up :)
     
  8. Turpster

    Turpster Registered Member

    Joined:
    Sep 16, 2004
    Posts:
    31
    Location:
    Mercersburg, PA
    Here is Linksys's Tech Support Response:

    "Dear Valued Linksys Customer,


    Thank you for contacting Linksys Technical Support.

    Please accept our apologies for the inconvenience this has caused you. You have mentioned that the NSLU2 works without problems with the computers running Windows operating system. When a Linux computer was introduced to the network, it was able to access the units drives by using the "built-in - add network folder" wizard. This have not prompted for a username and password unlike the Windows based PC's. Basically, any device connected to the NSLU2 should be prompted by a username and password especially when a policy was set on the unit. We have limited resources when it comes to Linux. The program or application that was used on the unit was beyond our support. We apologize for the inconvenience; this case has already been forwarded to our Product Engineers for further investigation. We will get back to you as soon as we get the results. We cannot guarantee a fast resolution regarding this concern since no Linux hardware are available at the moment.

    Again, thank you for your patience and rest assured that we will take action to improve our products and services to better meet your needs.

    For more information on our products, please visit http://www.linksys.com/kb

    Please feel free to send us an E-mail at support@linksys.com for any questions or suggestions that you may want us to know.

    Thank you and have a nice day."

    I think the Linksys Tech Support person who wrote this did understand the issue; however, I am not sure he has a grasp of the security problems here (although, I am glad he is sending it on). They do not support Linux, to me is no excuse in for a device that is designed to live on a network. I could understand a response like that if I could not get the linux box to connect or something like that. But to sell a network device that is supposed to be secureable on a network - and is.... providing the network is solely Windows based, in my opion is CRAZY!

    For example, lets say someone got by my firewall (and was runing SuSe) or an employee brought in a linux based laptop and pluged it into my network - apparently they would have full access to my Network Storage Devices as they are providing no second line of defense for my files or anyone's files who is running a NSLU2 network storage device.

    I have a Buffalo TeraStation which I will be testing next. For that matter, I am going to take a look at all my network security again using this SuSe box. Here I thought I was pretty secure.

    I have not heard back from my direct linksys rep yet.

    I will post back with more info as I get it.
     
  9. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Thanks for getting back :)

    A miracle in itself...

    That is crazy, especially considering that the device is run on Linux to begin with. That they don't have any "Linux hardware" seems a bit strange as well, surely they have a spare machine somewhere, any old PC would do.

    If it's convenient, you might try recreating the users just to see.. I'm pretty curious myself now, too, so I will have to give it a try. If this is a real issue (and I have no reason to doubt you) then hopefully they'll get it resolved. Obviously there's some difference in the way it's communicating with the device, and someone determined to get in could probably easily duplicate it.
     
  10. Turpster

    Turpster Registered Member

    Joined:
    Sep 16, 2004
    Posts:
    31
    Location:
    Mercersburg, PA
    I agree, you think someone there would have some linux hardware, since it is embedded in their products.

    I tried recreating user - no difference, I can still get in using SuSe.

    I also tested some other brands of NAS devices and they seemed to work properly; either I was denied entry or given a prompt for user name and password.

    Still have not heard back from my Linksys Rep - funny, too because when I need to discuss a sales issue he is always right there or gets back to me ASAP - go figure.
     
  11. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Very strange indeed. I'm hoping that I can try it with just a Linux LiveCD.

    Heh, yeah, go figure...
     
  12. Upstart

    Upstart Registered Member

    Joined:
    Apr 20, 2006
    Posts:
    1
    Hello, Turpster and Notok!

    (This is my first post here, so please bear with me...)

    I just got the NSLU2 myself, and found this thread in researching on Google. I have very limited knowledge of Linux, but used the ext3 formatting for an external drive in order to enable the shares/groups/users features.

    Turpster, do you have the "guest" privileges enabled on your configuration? And do you have it configured to "convert failed logins to guest"?

    Maybe that is the flaw you are experiencing, the above settings were on my config screen by default at installation. I'm wondering if your linux box is just going straight to guest read/write privileges on the "public data" portion of the disk, which is accessible by everyone on default settings?

    I'm interested in seeing if that relates at all to your concerns.

    Hope this helps, but if it doesn't, I'd like to know that, too, as I want to lock down my NSLU2 as well.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.