Seagate NAS Remote Code Execution Vulnerability

Last Update Date: 3 Mar 2015 09:56 Release Date: 3 Mar 2015 4266 Views

RISK: Extremely High Risk

Extremely High Risk

TYPE: Servers - Network Management

TYPE: Network Management

A vulnerability was identified in Seagate Business Storage 2-Bay NAS. Products in this line were found to be vulnerable to a number of issues that allow for remote code execution under the context of the root user. These vulnerabilities are exploitable without requiring any form of authorisation on the device.

 

Seagate Business NAS products come with a web-enabled management application. It is built with the following out-of-date technologies which are know to have security issues.

  • PHP version 5.2.13 (Released 25th February 2010)
  • CodeIgniter 2.1.0 (Released 23rd November 2011)
  • Lighttpd 1.4.28 (Released 22nd August 2010)

NOTE: Vulnerability Has No Patch Available

NOTE: A Proof Of Concept Exploit Code Is Publicly Available

Impact

  • Remote Code Execution
  • Information Disclosure

System / Technologies affected

Two versions of the NAS firmware were tested and shown to be vulnerable. Those versions were:

  • 2014.00319
  • 2013.60311

Solutions

  • NOTE: Vulnerability Has No Patch Available
  • Remediation
    • Ensure that devices are not accessible via the public Internet.
    • For internal use, it is recommended that the devices be located behind a firewall configured to allow only a trusted set of IP addresses to connect to the web interface.

Vulnerability Identifier

Source

Related Link

Share with

Previous

TYPO3 Remote Users Bypass Authentication Vulnerability

3 Mar 2015 3900 Views

Next

SSL/TLS Export Cipher "Factoring RSA Export Keys" (FREAK) Vulnerability

5 Mar 2015 6310 Views

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY