CVE-2013-5668 Thecus NAS Server Domain Administrator Password Disclosure

Advisory Information

Title: Thecus NAS Server Domain Administrator Password Disclosure

Date published: 13 January 2014

Reference: CVE-2013-5668

Advisory Summary

The Domain Administrator Password within the ADS/NT Support page is disclosed due to clear text storage of sensitive information within the GUI.

Vendor

Thecus <http://www.thecus.com/>

Affected Software

Thecus NAS Server N8800 Firmware 5.03.01

Description of Issue

The Domain Administrator Password within the ADS/NT Support page is disclosed due to clear text storage of sensitive information within the GUI. Any user who has access to this page is able to retrieve the ADS/NT administrator ID and password. This could enable an attacker to gain access to the domain hosting the storage server.

PoC

Attackers can use a browser to exploit these issues.

Fix

ThecusOS 5 (32 bit):

http://www.thecus.com/Downloads/beta/FW/Thecus_NAS_FW_beta_5.03.02.4.rom

ThecusOS 5 (64 bit):

http://www.thecus.com/Downloads/beta/FW/64_V2.04.05_build7464_FW_N2800_N4510U_N4800_N5550_N7510.rom

http://www.thecus.com/Downloads/beta/FW/64_V2.04.05_build7464_FW_N6850_N8850_N10850_N8900_N12000_N16000.rom

http://www.thecus.com/Downloads/beta/FW/64_V2.04.05_build7464_FW_N7700PROV2_N8800PROV2.rom