Seagate, over the weekend, confirmed the zero-day vulnerability in its Seagate Business Storage 2-Bay NAS boxes disclosed March 1. But in the same breath, told customers exposed to the vulnerability that a patch is still two months away.
“For those customers who choose to keep their networks open, Seagate will be issuing a software patch for download expected May 2015,” said a statement emailed to Threatpost.
Seagate said that after analyzing the vulnerability, it has determined the zero-day to be low risk because it affects only those customers to expose the NAS boxes to the Internet.
“With factory settings, Business NAS products are not vulnerable. The user has to intentionally change a default setting to become susceptible,” Seagate said.
Seagate has built a website for concerned customers with instructions on how to mitigate exposure, and encouraged users to put the NAS boxes behind a firewall when using them exclusively on internal networks.
The vulnerability was publicly disclosed a week ago Sunday by Australian security consultancy Beyond Binary after five months of dialogue with Seagate that failed to produce a security update for the firmware issue in question, the researchers said. Beyond Binary said it used a Shodan scan to find 2,500 vulnerable devices exposed to the Internet.
Beyond Binary said Seagate boxes running firmware version up to and including 2014.00319 are vulnerable and exploitable without authorization.
The issue stems from a number of outdated components upon which the NAS products’ web-based management application is built. The app is used to manage files, access control and user accounts. The outdated components include versions of PHP and Lighttpd from 2010 and a version of CodeIgniter from late 2011; all of which have their own set of vulnerabilities that have been addressed in later versions of the respective components.
Seagate determined the 0day to be low risk because it affects only NAS boxes exposed online. via @ThreatpostTweet
Hackers can abuse each of these to lace the code with additional files and executables, or extract an encryption key to open up new avenues of attack, Beyond Binary said. The custom web app is not without its issues too as it stores information relevant to a user session inside a session cookie rather than on the webserver. Some of those values include the name of the user, whether they’re an admin and the language.
“The fact that a static session encryption key is in use across all instances of the NAS means that once a user has a valid session cookie on one instance, they can apply that same cookie directly to another instance and acquire the same level of access,” the advisory said. “In short, once a user is logged in as admin on one instance, they’re effectively admin on every instance.”