Today, Rapid7 is disclosing a vulnerability discovered by James “egyp7″ Lee of Rapid7 that affects ExaGrid storage devices running firmware prior to version 4.8 P26. James discovered that an attacker can exploit these issues with common client tools: an SSH terminal client and a web browser. All that is needed are the default credentials and the ability to connect to the device over a network.
Since alerting ExaGrid of these vulnerabilities, the issues have been fixed. A statement from Bill Andrews, CEO of ExaGrid, about the disclosure is below:
“ExaGrid prides itself on meeting customer requirements,” said Bill Andrews, CEO of ExaGrid. “Security is without question a top priority, and we take any such issues very seriously. When we were informed by Rapid7 of a potential security weakness, we addressed it immediately. We value Rapid7’s involvement in identifying security risks since strong security will always be a key customer requirement.”
For your reference, more information about this disclosure can be found here: https://community.rapid7.com/community/infosec/blog/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials