Time to patch your firmware! Backdoor discovered into Seagate NAS drives
If you have not recently updated the firmware for your Seagate wireless NAS drives, now is the time to do so. Researchers at Tangible Security have discovered a series of vulnerabilities in a number of devices produced by Seagate that could allow unauthorized access to files and settings.
An undocumented Telnet feature could be used to gain control of the device by using the username 'root' and the hardcoded default password. There are also other vulnerabilities that allow for unauthorized browsing and downloading of files, as well as permitting malicious files to be uploaded. Tangible Security says that Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie FUEL drives are affected, but there may also be others.
The security issues are confirmed to exist with firmware versions 2.2.0.005 to 2.3.0.014. The problems were discovered way back in March, but a patch has only recently been published, along with an advisory notice from US CERT. Tangible Security issued a warning of its own:
With products from large vendors such as Seagate, there tend to be numerous product names for basically the same product under the same vendor’s name or another vendor. Tangible Security cannot enumerate all of the named products as well as Seagate. Other named products may be affected.
The research group also shared details of the vulnerabilities:
Use of Hard-coded Credentials
- Vulnerability Description: The affected device firmware contains undocumented Telnet services accessible by using the default credentials of 'root' as username and the default password
- Impact Description: an attacker can covertly take control of the device, not only compromising the confidentiality of files stored on it but use it as a platform to conduct malicious operations beyond the device
- CVE-2015-2874
- CWE-798
Direct Request ('Forced Browsing')
- Vulnerability Description: The affected device firmware provides unrestricted file download capability
- Impact Description: Attackers can gain access all files stored in affected devices. This vulnerability requires attackers to be within range of the device’s wireless network
- CVE-2015-2875
- CWE-425
Unrestricted Upload of File with Dangerous Type
- Vulnerability Description: The affected device firmware provides a file upload capability to the device's /media/sda2 file system, which is reserved for the file sharing
- Impact Description: this vulnerability requires attackers to be within range of the device’s wireless network, who can upload files onto it. If such files were maliciously crafted, they could compromise other endpoints when the files are opened
- CVE-2015-2876
- CWE-434
Anyone with an affected device is advised to update to firmware version 3.4.1.105 which addresses the issue.