Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Seagate Downplays Risks Posed by Business NAS Flaws

Seagate has confirmed the existence of vulnerabilities in Business Storage 2-Bay NAS devices and promised to patch the issues in May.

However, the company has rated the flaws as “low risk” and noted that only network-attached storage (NAS) solutions used on networks that are publicly accessible via the Internet are vulnerable.

Seagate has confirmed the existence of vulnerabilities in Business Storage 2-Bay NAS devices and promised to patch the issues in May.

However, the company has rated the flaws as “low risk” and noted that only network-attached storage (NAS) solutions used on networks that are publicly accessible via the Internet are vulnerable.

Seagate says Business NAS products are not vulnerable to attacks if their default settings haven’t been been changed by the user. The company has published an advisory containing steps that can be taken to avoid exposure.

On the other hand, Beyond Binary, the security consultancy that disclosed the flaws, disagrees with Seagate’s analysis. The researchers believe the data storage giant is trying to “control brand damage.”

Beyond Binary has found a way to remotely execute arbitrary code with root privileges on Seagate Storage 2-Bay NAS devices by leveraging a combination of vulnerabilities in the Web-based management console that allows Seagate customers to configure the devices.

The security firm, which has identified more than 2,500 devices exposed on the Internet, says the bugs affect products running version 2014.00319 and prior of the firmware.

First of all, researchers have highlighted that the CVSS base score for the vulnerability is 10, so it should not be regarded as “low risk.” Furthermore, experts have pointed out that not only devices that are accessible via the Web are vulnerable, because attackers have other ways of reaching them.

“It is possible to reach such devices via a number of paths including network pivots. [Seagate’s] response also fails to take into account internal employees or other people with physical access to the same network (such as subcontractors),” Beyond Binary wrote in response to Seagate’s assessment.

Advertisement. Scroll to continue reading.

Experts also claim that the devices are vulnerable in their default configuration because the Web-based management portal that contains the vulnerabilities is enabled by default.

“Seagate’s handling of this disclosure has been poor, to say the least. Down-playing the issues in this way may lead customers into thinking that the vulnerability isn’t severe, resulting in a lack of action on the customer’s behalf. The lack of action in producing a fix for these issues is an indication of the level of importance Seagate places on keeping customers secure,” researchers said.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.