The following issues affect ExaGrid storage devices running firmware prior to version 4.8 P26:
CVE-2016-1560: The web interface ships with default credentials of 'support:support'. This credential confers full control of the device, including running commands as root. In addition, SSH is enabled by default and remote root login is allowed with a default password of 'inflection'.
CVE-2016-1561: Two keys are listed in the root user's .ssh/authorized_keys file: one labeled "ExaGrid support key" and one "exagrid-manufacturing-key-20070604". A copy of the private key for the latter authorized key ships on the device in /usr/share/exagrid-keyring/ssh/manufacturing.
These issues have been rectified in firmware version 4.8 P26, available from the vendor.
ExaGrid provides a series of disk backup appliances based on Linux. The vendor's website states, "ExaGrid's appliances are deduplication storage targets for all industry leading backup applications." In addition, ExaGrid provides several hundred customer testimonials, demonstrating its popularity as a backup solution across several vertical markets.
Exploiting these issues require a standard ssh client for the first two issues, and a standard web browser with the third.
The SSH private key, which is common to every shipping device, is located on the device at /usr/share/exagrid-keyring/ssh/manufacturing, available to anyone who owns a device or anyone who can download and extract the firmware.
In order to facilitate detection of this exposure, the private key is provided below.
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBnZQ+6nhlPX/JnX5i5hXpljJ89bSnnrsSs51hSPuoJGmoKowBddIS K7s10AIpO0xAWGcr8PUr2FOjEBbDHqlRxoXF0Ocms9xv3ql9EYUQ5+U+M6BymWhNTFPOs6gFHUl8Bw3t 6c+SRKBpfRFB0yzBj9d093gSdfTAFoz+yLo4vRw==
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Removing the two backdoor keys from /root/.ssh/authorized_keys and /root/.ssh/authorized_keys2 files and changing the root user's password will prevent exploitation of the first vulnerability.
As for the web UI exposure, it appears to be possible to change the password for the 'support' account through the web interface. However, this is likely to break software updates as the update process uses that account with a hard coded password.
The vendor has fixed the reported vulnerabilities in firmware version 4.8 P26. Customers are urged to contact their support representative to acquire this firmware update.
"ExaGrid prides itself on meeting customer requirements," said Bill Andrews, CEO of ExaGrid. "Security is without question a top priority, and we take any such issues very seriously. When we were informed by Rapid7 of a potential security weakness, we addressed it immediately. We value Rapid7's involvement in identifying security risks since strong security will always be a key customer requirement."
This vulnerability advisory was prepared and released in accordance with Rapid7's disclosure policy.
- Tue, Jan 26, 2016: Initial discovery by James Lee of Rapid7
- Fri, Jan 29, 2016: Initial contact to vendor
- Mon, Feb 01, 2016: Response from vendor and details disclosed
- Mon, Feb 23, 2016: Disclosure to CERT
- Tue, Mar 08, 2016: Vendor commits to a patch release in March.
- Thu, Mar 24, 2016: Vendor provides an updated firmware image
- Thu, Apr 07, 2016: Public disclosure and Metasploit module published.