Some of Seagate’s network-attached storage (NAS) solutions for businesses are plagued by serious vulnerabilities that can be exploited by malicious actors to execute arbitrary code on affected systems, according to researchers.
Researchers at security consultancy Beyond Binary analyzed Seagate’s Business Storage 2-Bay NAS, a product designed for small businesses that can be used to connect up to 20 PC and Mac workstations, and found multiple security flaws.
According to Beyond Binary, the Web-based management console that allows Seagate Business NAS owners to configure the device uses several technologies and a custom PHP application that are affected by some serious security issues.
The administration console uses PHP 5.2.13, a version released in February 2010, CodeIgniter 2.1.0, released in November 2011, and Lighttpd 1.4.28, released in August 2010. The outdated version of PHP contains an old vulnerability (CVE-2006-7243) that can be leveraged to bypass restrictions and gain control of file extensions.
CodeIgniter versions prior to 2.2.0 are plagued by a flaw that can be leveraged to extract encryption keys and decrypt cookie contents (CVE-2014-8686). An attacker can decrypt the cookie, modify it, and re-submit it to the server for PHP object injection and possibly even remote code execution (CVE-2014-8684).
Another issue with CodeIgniter is that the same encryption key is used for every Seagate NAS device in this particular product line (CVE-2014-8687).
The custom PHP application used by the management console doesn’t store session information on the server side. Instead, the information is stored in a session cookie. The PHP hash in the cookie contains three parameters that can prove useful to a malicious actor.
One of the parameters is called “username,” which represents the username for the current session. The problem, according to researchers, is that once the session has been established, there is no further validation of user credentials as long as the username field can be found in the cookie. An attacker can manipulate the value of this parameter to bypass the login mechanism.
Another problematic parameter is “is_admin,” which shows whether the current user is an administrator or not. An attacker can change the value of this entry in order to elevate his privileges, experts said.
“The fact that a static session encryption key is in use across all instances of the NAS means that once a user has a valid session cookie on one instance, they can apply that same cookie directly to another instance and acquire the same level of access. In short, once a user is logged in as admin on one instance, they’re effectively admin on every instance,” Beyond Binary explained in a blog post.
The last interesting parameter found in the cookie is “language.” This entry might not seem important since it only represents the user’s chosen language. However, it can be manipulated for the exploitation of a local file inclusion (LFI) vulnerability, researchers noted.
The Web application used by the Seagate NAS management console is served by an instance of the lighttpd open-source web server running under the context of the root user. This allows an attacker to conduct malicious activities with root privileges, researchers noted.
In order to execute arbitrary code on vulnerable systems, an attacker must first write PHP code to the NAS file system. Then, he can manipulate the language variable to add the path to the PHP code. At this point, the CVE-2006-7243 vulnerability in PHP must be exploited in order to force PHP to ignore characters appended to the file path. Finally, the malicious actor can execute the code with root privileges by making a request with the crafted cookie.
Beyond Binary has made available a proof-of-concept script written in Python and a Metasploit module that automate the attack.
The security firm has successfully reproduced the exploits on versions 2014.00319 (the latest version as of March 2, 2015) and 2013.60311 of the firmware. Researchers believe all versions of the firmware are likely affected.
Shodan, the search engine for connected devices, shows that there are more than 2,500 Seagate NAS devices accessible over the Internet and experts believe they are likely vulnerable to such attacks.
Seagate was first made aware of these vulnerabilities back in October 2014. The data storage giant confirmed in January that it had successfully reproduced the attack using the PoC code submitted by Beyond Binary, but so far it hasn’t produced a firmware update to address the issues.
Contacted by SecurityWeek, the company’s representatives said they are “aware of the reports and are in the process of assessing the potential issue.”
Until a permanent fix becomes available, Seagate Business NAS customers are advised to ensure that the devices are not accessible via the Internet. Users should also make sure the Web interface can only be accessed from trusted IP addresses.
