Thursday, July 30, 2009

NAS security susceptibility

Thursday, July 30, 2009

The device that posed the highest number of threats was NAS, or network-attached storage, units, which were susceptible to all five attack classes considered in the study.

For instance, attackers can sabotage NAS units made by one vendor (The Register agreed not to name any specific manufacturers or models in this article) by doing nothing more than entering javascript commands when trying to log in to the device. From then on, the device will execute XSS, or cross-site scripting, attacks against network admins each time they view a device log that stores the wayward login
attempts.

Similarly, attackers can manipulate SMB, or server message block, commands, to rename files on a NAS device so they contain malicious javascript. The Stanford team has dubbed such exploits cross-channel scripting attacks because they use a non-web-based channel such as the file transfer protocol to store arbitrary scripts that, when viewed in a web browser, can expose the admin to serious threats. Four of the five NAS manufacturers studied in the report were vulnerable to them.

Blog Archive

WE DO NOT ENDORSE ANYTHING, .


NOR DO WE RECEIVE ANY FREE PRODUCTS OR FUNDS FOR LISTING ANY PRODUCT OR SERVICE HEREIN