If you have installed NAS network storage device manufactured by LG, then you should immediately close it and read this article, and then take appropriate measures to protect your sensitive data.
Privacy advocacy company VPNMentor revealed on Wednesday that their researchers have discovered a critical remote command execution vulnerability that has not been patched in multiple LG NAS devices that could compromise the user data stored there.
It is worth noting that the company also discovered last month that there are security vulnerabilities in HotSpot Shield, PureVPN, and Zenmate, three popular VPN applications. These vulnerabilities could compromise the user’s real IP address and other sensitive data. Users may exceed millions.
The LG NAS device is a dedicated file storage unit connected to the network, allowing users to use multiple computers to store and share data. For authorized users, they can also remotely access this data via the Internet. Of course, the need for authorization means that remote access cannot be achieved without the correct username and password.
VPN Mentor researchers said that although they could not log in to LG NAS devices with arbitrary usernames and passwords, they found that there was a pre-auth remote command injection vulnerability in most LG NAS devices. Vulnerability comes from the wrong authentication of the “password” parameter on the remote management user login page, allowing remote attackers to pass arbitrary system commands through the password field.
The researchers explained that the attacker could write a simple persistent shell on the target device and use it as a password entry to exploit this vulnerability. By using this shell, an attacker can easily execute more commands. One of the commands allowed them to dump the full database of NAS devices, which contained the victim’s email, username, and MD5 hashed password.
Because passwords protected with MD5-encrypted hash functions are easily cracked, attackers can gain access to and steal sensitive data stored on the target device.
The researchers also mentioned that if an attacker does not want to spend time cracking the stolen MD5 hash password, they can also create a new user by adding another command, add it to the target device, and then use that credentials to login complete data theft.
Since LG has not released a fix for this vulnerability, we recommend that LG NAS device users ensure that their devices cannot be accessed over the public Internet and use firewalls to protect them. In addition, we also recommend that users can periodically check for any suspicious activity by checking all registered usernames and passwords on the device.
