Buffalo Forums

I'm not sure of the proper process to report or escalate the extremely major security flaw I've found in Terastation TS5200D (and likely all other Terastation) models, but here is the description. 

(A call to support at 866-752-6210, after the support rep researched, confirmed there didn't seem to be any fix for this dangerous flaw, presently, and advised me to e-mail support@buffalotech.com immediately to escalate the issue, which I've done).

While WebAccess appeared to function fine once properly secured, requiring authentication for access to shares and their subfolders appropriately, etc, in a shocking turn, Users appear to be capable of undermining the entire authentication-based security of these Business NAS products, via what appears to be an obscure and poorly documented feature in WebAccess known as "Share Files".

Using this feature, a user authorized to read or read/write to a folder, can "share" that folder or it's subcontents, generating a URL of the style:

http://buffalonas.com/<NASName >/axs/u:<RandomAlphanumericString>/SHAREDFOLDER

When shared with anyone they may choose to share it with, and used in a browser, COMPLETELY bypasses the requirement of authentication to view the secure folders, and presents them in-browser for download, etc.   

Which allows users to completely undermine any security Buffalo NAS product administrators have assigned, by providing these to others.

Furthermore, it is confirmed users sharing files is not being logged in any log files.  Meaning again, users are free to share links to anything they have access to, to individuals that do not have access, undocumented, and completely without the knowledge of the administrator.

The support rep recommended if I didn't like WebAccess allowing my users to provide secure files to anyone they might choose, unauthorized, to simply disable WebAccess and use archaic FTP methods, which eliminates one of the major marketing points of these NAS products as a modern professional business product...

This is shocking and utterly disappointing to discover, can cost thousands of dollars to replace these products with competitor's products, and to find this after I'd researched and been assured that these products were Business grade, web-accessible products, is... just shocking.

I've requested with support@buffalotech.com to fast-track a patch of some sort, after the support rep said there was nothing to do, as "it's not a bug, it's a feature" (albeit one that throws security out the window).

Does anyone have any other suggestions on how this "feature" could be blocked?  I've considered de-listing my NAS from BuffaloNas.com, but substituting the IP and Port of the NAS in place of buffalonas.com/NASNAME still works, meaning the flaw (and the temporary "phantom" user it creates for the 1-30 days of access a user causes), is contained within the NAS itself, and isn't something being done by the website.

Short of turning off WebAccess, which would cripple responsible users across the workplace, what can be done to remove their ability to share secured files without permission?  Has anyone ever been made aware of this?

-KC

Quote from: kcarlson on May 14, 2015, 11:38:43 AM
When shared with anyone they may choose to share it with, and used in a browser, COMPLETELY bypasses the requirement of authentication to view the secure folders, and presents them in-browser for download, etc.   

-KC

Of course the security is bypassed, you have given the user permission to access the file/folder using the "share file" option within web access. Also, the string used is not random, it is specific to that file and if you change a digit it will not allow you access.

The only way to prevent users from sharing files is to prevent them from accessing the files at all. Even if they couldn't share the link they could just copy the file off and share it that way, right? At some point you either trust your users or you don't.

^ pretty much sums that up. Was going to say the same thing. Technically this is the same for other hardware in corp environments. One way or another some has access to that file. They my not have a share link like webaccess but they can just copy and paste it or upload it to online storage sites and share it. Security issue are users in the company and whether or not they are trust worthy.

If you don't want that option at all but want the permissions there for read/write and read only, you best bet if FTP, not sure why you users cant figure out how to use it, you can clearly give them a link to it and IE and Chrome would support FTP without third party extensions. Then give them a password and username. Then setup PF for the off site access and include that link with the Public IP:port.

Thanks for the thoughts, folks.  Buffalo Support basically implied the same, that I should simply "trust all my employees"...  Apparently, all 500+ of them, across 8-9 business lcoations and 8-9 individual NAS drives.

Obviously, I think it's safe to say that I've got to somewhat disagree on a fundamental level, as this isn't really a practical concept, to "just trust all your 500+ employees nationwide, that they won't use the Buffalo Business NAS products in a malicious way"...

The news is daily full of stories of data breaches, and the appropriate answer in the IT industry has never been to just "trust all your employees".  There's a large difference between an employee intentionally copying files to a USB Memory Stick or Dropbox service, and an employee being able, with two mouse-clicks, to generate a password-free URL that provides anyone they choose, full access to download entire directories.  It's all about the difficulty of access to the data, and unfortunately, this feature, as it's unable to be turned off, can allow one untrustworthy user to turn your secure system into a virtual Dropbox to anyone they want to provide it to, on a whim.

The main reason I preferred WebAccess over older reliable FTP/SFTP, which I have no problems with, but my users would have more with, is specifically because of the ease-of-use.  The employees travel and work out-of-office a lot, and WebAccess, looking much like the familiar Dropbox/Google Drive type services many were already familiar with, let alone it having a very useful iPhone/Android companion app, was a huge selling point in the selection of these business-NAS products for the company.

Buffalo Support did provide me an undocumented method to access the Apache Web Logs, which show, in a rather technical format, who has logged in, and when the "Share Files" feature is used to generate a link...  (contrary to their phone support's response - that there wasn't anything to be done, because it "isn't logged at all.")

This method is rather archaic, but until this "feature" gets patched, it appears the burden's on the IT Administration to setup automated routines (the keystrokes must be performed physically or by automation software, it's a keystroke combination not supported by major remote administration packages like LogMeIn, Teamviewer, etc), and then the log pored through for the unique strings that imply a user has shared company files.   I have a very small department, and unfortunately lack the time and luxury to do this daily, but according to Buffalo, IT spending time manually extracting webserver logs and pouring over them is currently the only way to at least monitor their Business NAS products for these user-enabled breaches of security.

It's only after that, that IT can finally contact the user and investigate why they felt the need to share company files, what their intention was, and if disciplinary action is/was required. 

The worst thing is, there's literally NO way to turn a user's sharing "off".  If there was at least a screen to administer/disable any user-shared files, it would help, as if a user is found to have e-mailed a link to your sensitive files to the competition, you literally cannot turn the sharing off until the time expires.  It's all a hidden "feature" you have zero control over, and your users have full control over.  For a "business" marketed product.

Very disappointing, and the only way I can see these products being marketed for any "business" that has more people than can fit in one room is:

1. An update that makes the log files easier visible and search-able, to see what users decided to share sensitive files.
2. An update to fully disable the "share files" feature to remove users' control over your business' sensitive files and the need for IT to constantly police users in the event they would share things.
OR
3. An update to view and delete as necessary, any "active shares" URLs users may have chosen to share.

I can't imagine these very rudimentary security features would be very difficult for Buffalo to impliment to properly secure their business grade products.  You'd expect, for $1000+ products, the response to an insecurity, not to be "Just trust your 500+ employees across the nation not to ever do anything malicious with this feature".

I respectfully disagree. If your users are intent on sharing files with outside entities they are going to do it one way or another. As far as FTP being difficult, they can access FTP via a web browser and not be much different than any other file sharing service.