Seagate NAS Unpatched Vulnerabilities Put Thousands of Users at Risk

OJ Reeves, an Australian security researcher-cum-white hat hacker, discovered a remote code execution vulnerability in Seagate’s Network Attached Storage (NAS) device software, as well as two fully operational exploits leveraging the flaws. Reeves says that Seagate Business NAS line carries old versions of PHP, CodeIgniter, and Lighttpd, up to version 2014.00319. According to reports, this unpatched vulnerability was disclosed some 130 days ago and yet remains unpatched to date, possibly putting thousands of users at risk. In the past, Synolocker ransomware was known to have targeted NAS devices, denying victims access to their encrypted files.

As mentioned above, NAS Web application uses three core technologies—PHP version 5.2.13, CodeIgniter version 2.1.0 and Lighttpd version 1.4.28—that are outdated. The PHP version 5.2.13 has a vulnerability (CVE-2006-7243) that allows user-controlled data to terminate file paths prematurely, allowing attackers to gain full control over the file extension. CodeIgniter version prior to 2.2.0 is has a vulnerability (CVE-2014-8686) that allows attackers to extract the encryption key and decrypt contents of the cookie. As soon as the files are decrypted, attackers can modify the content of the cookie and re-encrypt it prior to submitting it back to the server.

Users of Seagate’s Business Storage NAS products are encouraged to ensure that their devices are not connected via public Internet. 

What is NAS?

NAS, or Network Attached Storage, is a type of self-contained, dedicated file storage device connected to a network that provides data access to multiple computers and devices. In essence, a NAS operates as a file server and is managed by a Web-based utility program. As such, NAS devices allow secure data access regardless of user location. Users can access their data whether they’re in the same room as the device or on the go, as long as they’re connected to the Internet.

For homes, NASes are used for storing and serving multimedia files and for automated backups. Users can load digital music, files, films, photos into the NAS system and stream it anywhere within the house. In addition, users can access their media remotely from their devices. 

In an enterprise, a NAS can be used as a backup for archiving and disaster recovery. For small businesses, if a NAS device has a server mode, it can function as an email, database, and print server. 

While NAS devices offer users and enterprises convenient functions that are similar to that of a mini server, these embedded devices often require Internet connectivity and could be open to attack. If not properly configured or regularly updated, the user’s network and devices can be hacked through vulnerabilities found on each device connected to it. Users are advised to update their devices and smart security systems regularly, and to beef up network security settings to avoid likely attacks and intrusions.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.