Firmware running on certain Seagate network-attached storage devices that are popular with small businesses and home offices, are vulnerable to remote attacks.
Researchers at Beyond Binary, a security consulting firm in Australia, on Sunday went public with their disclosure after a nearly five-month back-and-forth with Seagate engineers which has yet to result in updated firmware.
Now that the issue is public, Beyond Binary is urging Seagate Business NAS customers to ensure those boxes are not reachable online and are operating behind a firewall internally. A Shodan scan shows 2,500 vulnerable devices on the Internet, Beyond Binary said.
Seagate Business Storage 2-Bay NAS boxes running firmware versions up to and including 2014.00319 are vulnerable to remote attack, the researchers said.
“These vulnerabilities are exploitable without requiring any form of authorization on the device,” the Beyond Binary advisory said.
The issue stems from a number of outdated components upon which the NAS products’ web-based management application is built. The app is used to manage files, access control and user accounts. The outdated components include versions of PHP and Lighttpd from 2010 and a version of CodeIgniter from late 2011; all of which have their own set of vulnerabilities that have been addressed in later versions of the respective components.
Hackers can abuse each of these to lace the code with additional files and executables, or extract an encryption key to open up new avenues of attack, Beyond Binary said. The custom web app is not without its issues too as it stores information relevant to a user session inside a session cookie rather than on the webserver. Some of those values include the name of the user, whether they’re an admin and the language.
According to Beyond Binary, an attacker can bypass authentication and elevate privileges remotely on the device.
“The fact that a static session encryption key is in use across all instances of the NAS means that once a user has a valid session cookie on one instance, they can apply that same cookie directly to another instance and acquire the same level of access,” the advisory said. “In short, once a user is logged in as admin on one instance, they’re effectively admin on every instance.”
Beyond Binary said it has developed a Metasploit module and a separate Python script that automate exploits, details of which are available in the advisory.
A request for comment from Seagate went unanswered prior to publication.
Beyond Binary, meanwhile, said initial attempts to disclose privately to Seagate were “time consuming and unproductive,” the company said in its advisory. It eventually, on its own, found a security contact inside Seagate who was cooperative.
A timeline published by Beyond Binary said the vulnerability was discovered and proof of concept exploits were created between Oct. 7 and Oct. 16. The issue was reported Oct. 22 after several attempts to connect with someone over email and social networks. Beyond Binary said it started the clock on a 100-day public disclosure period on Oct. 22. Seagate responded the next day and the two parties exchanged details and proof of concept code over the next two-plus months. On Jan. 17, Beyond Binary said it extended its disclosure deadline to March 1 after communicating with a security contact at Seagate, who said they were able to use the proof of concept code to exploit the bug.
After a status request on new firmware, Beyond Binary said Seagate on Feb. 26 indicated there was no update to be shared and the disclosure deadline passed on Sunday.