The search appliance that has been part of a recent Google hardware promotion contained a “highly critical” flaw leading to the presence of several exploitable bugs.
Unpatched versions of the Google Mini posed a risk of being subjected to cross-site scripting (XSS), file discovery, service enumeration, and arbitrary command execution, Metasploit reported.
Google addressed the problem by providing a fix directly to clients that had purchased the Google Mini. The search appliance sells for $3,000, but recently has been offered as a free extra to purchasers of Google’s high-end enterprise search appliances.
Researcher H D Moore at Metasploit provided some notes on the company’s web site detailing some of their work with Google on the flaw:
The Google security team responded immediately to our report and were generally very helpful throughout the disclosure process. After a fix was developed, they offered to send us a Mini to verify that all issues had been addressed. Prior to shipping the appliance, they asked for an NDA and a license agreement to be signed and sent back.
The NDA and license agreement both included clauses that restricted reverse engineering and other facets of security research. The NDA prohibited the publication of any information deemed confidential by Google without a prior written agreement.
For any use other than security research, these conditions would not be an issue, however as they were written, any vulnerabilities discovered after the documents were signed could be considered confidential and restricted. We declined to sign the documents and Google placed a demo unit online for verification instead.
David Utter is a staff writer for Murdok covering technology and business. Email him here.
