Buffalo Terastation NAS Disabled guest built‐in account allows for SMB\RPC device enumeration - bcross520/bcross520.github.io GitHub Wiki

Write up was sent to [email protected] on April 20th, 2023 requesting validation of intended functionality. Support replied to email after several attempts to contact them with the solution to change the minimum negotiation version from default SMBv1 to SMBv2-SMBv3. This does nothing to prevent an attacker to authenticate to the NAS with the built-in guest user account even if it is disabled in the UI. An attacker can then enumerate the host.

Update - On July 27, 2023, Buffalo America engineering team confirmed the disabled guest account useability is unintended functionality. Buffalo plans to address this issue in a future firmware release around October 2023.

On September 1, 2023, NIST assigned CVE-2023-39620 to this vulnerability.

The following was tested on firmware version: 5.00-0.07 using a Buffalo Terastation TS5410R. Other models may be affected, no idea how far back in firmware versions this extends.

image

  1. When you have the built-in guest account disabled, you can still authenticate to the device and enumerate information off the NAS.

1

  1. Enumerate all Shares via smbclient using the guest account (even though it’s disabled). Using the built admin account or local user accounts do not allow for this same access.

2

  1. You can use the disabled guest account to login via rpc. Once you have a session you have a ton more options to enumerate the device with. Connecting with rpcclient using the guest account. No other accounts allow this connection.

3

  1. Showing I’m authenticated as the guest user.

4

  1. Now an attacker can enumerate user accounts, then attempt to brute force the password to those user accounts.

5

  1. An attacker can enumerate user groups configured on the NAS.

6

  1. An attacker can enumerate network shares configured on the NAS which disclose file system paths.

7

  1. An attacker can acquire share information, which shows file system path location, users with access, DACL information.

8

So if the builtin guest user account is disabled in the UI of the NAS, that should also mean the guest account cannot be used for enumeration. No other accounts allow for this access. The built-in admin account or any manually created local user accounts do not allow for authentication using smbclient or rpcclient applications.

While the guest account and SMBv1 are default settings, the vendor has acknowledged disabling the guest account in the web application UI still allows authentication. The vendor's solution was to disable SMBv1, which still doesn't address the vulnerability.

The current disabled guest functionality violates the following MITRE ATT&CK framework Techniques:

Initial Access

    T1078.001 Default Accounts

Account Discovery

    T1087.001 Local Account
    T1087.002 Domain Account

File and Directory Discovery

   T1083

Network Share Discovery

    T1135

Permission Groups Discovery

    T1069.001 Local Groups
    T1069.002 Domain Groups

Current mitigating controls would be to segment the NAS on your network behind a firewall limiting access to SMB/RPC ports from the masses.