Outdated Apache and OpenSSL on Terastation?

[nelsonm]

   

So I've run a security scan on the terastations and it is alerting me that it is running old versions of Apache and OpenSSL which have open and well known vulnerabilities.

 

Is there any way for me to update this software to the latest versions as to get rid of these vulnerabilities and make this hardware "safe"?

I'm guessing it would normally be through a firmware update, but since Buffalo is not likely to provide one, is there an alternate way of doing it?

[PCPiranha]

 Which terastation?  Always include a model number and firmware version when inquiring about a product!!

[nelsonm]

   

Terastation II Rackmount

 Model Name: TS-RHTGL/R5 F/W 1.33

[Colin137]

It appears that the Apache vulnerabilities are fairly minor... most are regarding potential XSS attack vectors. This can be mitigated by making sure port 80 on the Terastation is not open to the internet.

 

Some of the OpenSSL vulnerabilities are more severe, but again, most are fairly minor.

 

I'll forward a request up to get Apache and OpenSSL updated.

[nelsonm]

   

Colin,

Thanks.

Is there anyway you can forward a request to update SMB and Kerberos to allow digital packet signing? This is another problem we have.

 

I was told they do not have any plans to update them, I was never given a choice to request it.

[Colin137]

I'll request it, but there's no way of knowing if it will get done. From what I've seen, digital packet signing is fairly difficult to implement in a way that works in many different environments.

[csfv]

   

Any status on updating the apache versions in the buffalo firmware?

 

My Buffalo Terastation (HD-H1 0TGL/R5) is identified on my network as running apache 1.3.33

 

My IT guys say:  

 

apache .lt. 1.3.37 contained a mod_rewrite buffer overflow attack, "RED, URGENT" update or get kicked off the network

apache .lt. 1.3.41 contained multiple vulnerabilities, mod_proxy, mod_imap, mod_status and mod_proxy_ftp, DoS, XSS, "YELLOW, MODERATE" update or get kicked off the network

 

If I want to continue using my drive, I must update to apache 1.3.41 or later.

 

Please advise,

-csfv  

[nelsonm]

   I doubt it'll ever get updated.