Seagate Remote Code Zero Day

Tuesday, March 3, 2015 @ 04:03 PM gHale

Seagate’s Business Storage 2-Bay NAS line has a Zero Day remote code execution vulnerability an attacker could exploit with ease, researchers said.

“Products in this line that run firmware versions up to and including version 2014.00319 were found to be vulnerable to a number of issues that allow for remote code execution under the context of the root user,” said security researcher OJ Reeves. “These vulnerabilities are exploitable without requiring any form of authorization on the device,” he said. The danger is very real for the owners of most of the over 2,500 devices exposed on the Internet via the Shodan search engine.

Adobe Fixes Flash Zero Day
IE Hole Allows Attackers to Phish
Adobe Flash Zero Day in Exploit Kit
Zero Day Abused in Sony Hack: Report

The devices with the vulnerable versions of the firmware are vulnerable because the web-enabled application used for managing the device consists of three core technologies — PHP version 5.2.13, CodeIgniter 2.1.0, and Lighttpd 1.4.28 — released years ago, are out of date, and sport known security issues.

“On top of these technologies sits a custom PHP application, which itself contains a number of security-related issues,” he said.

Reeves, who has discovered the flaw back in October 2014, contacted Seagate and responsibly disclosed it and provided a PoC and exploit for it. After a series of back and forth, the company confirmed the issue, and said they will work on a fix. Reeves set the final public disclosure date to March 1, and kept to it after the company failed to provide a timeline for the release of the fix.

He has also created and provided links to a Metasploit module and a standalone Python script that exploit the vulnerability.

“At the time of writing there is no firmware version available for download that contains fixes for the issues listed in this advisory,” he said. He went on the say, “It is recommended that consumers of these Seagate Business NAS products (and other products using vulnerable firmware) ensure that devices are not accessible via the public Internet. For internal use, it is recommended that the devices be located behind a firewall configured to allow only a trusted set of IP addresses to connect to the web interface.”

Seagate did respond to Reeves, saying “Security and data privacy are a priority for Seagate. We are aware of the vulnerability report and will take appropriate action to resolve.”

Leave a Reply

You must be logged in to post a comment.