Seagate QUIETLY Patches Security Flaw In Their Personal Cloud NAS Devices

If you have a Seagate Personal Cloud NAS device, I’d advise you to check for a firmware update because according to a security researcher, there was a nasty bug that Seagate apparently quietly patched after not acknowledging that the flaw even existed:

The vulnerability affects Media Server, a web application that runs on the NAS and allows users to interact with the data stored on the device via a network connection.

And:

The flaw —named an unauthenticated command injection— allows attackers to run commands on the device’s underlying firmware from its web management interface.

Koster put together proof-of-concept code that would use the flaw to enable remote SSH access on the Seagate NAS and then change its root password.

One note is that you have to be on the local network to pull that off. But there’s lots of malware that are capable of getting onto a local network and potentially exploiting something like this. Thus this isn’t trivial.

Here’s the the key point to all of this:

[Security researcher named Yorick] Koster has reached out to Beyond Security’s SecuriTeam managed vulnerability program to inform Seagate of the issue he discovered. Beyond Security, on behalf of Koster, has reached out to Seagate.

“Seagate was informed of the vulnerability on October 16, but while acknowledging the receipt of the vulnerability information, refused to respond to the technical claims, to give a fix timeline or coordinate an advisory,” Beyond Security wrote.

But Koster has told Bleeping Computer that while ignoring the vulnerability report, Seagate has quietly patched the flaws he reported.

“I can confirm it is fixed on my NAS,” Koster told Bleeping Computer, pointing us to the Seagate Personal Cloud changelog for version 4.3.18.0.

That’s really craptastic handling of this issue by Seagate. The fact that they didn’t respond to this, nor did they wrap any timelines around a fix isn’t cool. The only good news is it looks like they fixed this within the 90 day window that the responsible disclosure protocol demands. But clearly their communication needs to be better. In any case, if you have one of these devices, you need to patch it ASAP.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: