Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Seagate Downplays Risks Posed by Business NAS Flaws

Seagate has confirmed the existence of vulnerabilities in Business Storage 2-Bay NAS devices and promised to patch the issues in May.

However, the company has rated the flaws as “low risk” and noted that only network-attached storage (NAS) solutions used on networks that are publicly accessible via the Internet are vulnerable.

Seagate has confirmed the existence of vulnerabilities in Business Storage 2-Bay NAS devices and promised to patch the issues in May.

However, the company has rated the flaws as “low risk” and noted that only network-attached storage (NAS) solutions used on networks that are publicly accessible via the Internet are vulnerable.

Seagate says Business NAS products are not vulnerable to attacks if their default settings haven’t been been changed by the user. The company has published an advisory containing steps that can be taken to avoid exposure.

On the other hand, Beyond Binary, the security consultancy that disclosed the flaws, disagrees with Seagate’s analysis. The researchers believe the data storage giant is trying to “control brand damage.”

Beyond Binary has found a way to remotely execute arbitrary code with root privileges on Seagate Storage 2-Bay NAS devices by leveraging a combination of vulnerabilities in the Web-based management console that allows Seagate customers to configure the devices.

The security firm, which has identified more than 2,500 devices exposed on the Internet, says the bugs affect products running version 2014.00319 and prior of the firmware.

First of all, researchers have highlighted that the CVSS base score for the vulnerability is 10, so it should not be regarded as “low risk.” Furthermore, experts have pointed out that not only devices that are accessible via the Web are vulnerable, because attackers have other ways of reaching them.

Advertisement. Scroll to continue reading.

“It is possible to reach such devices via a number of paths including network pivots. [Seagate’s] response also fails to take into account internal employees or other people with physical access to the same network (such as subcontractors),” Beyond Binary wrote in response to Seagate’s assessment.

Experts also claim that the devices are vulnerable in their default configuration because the Web-based management portal that contains the vulnerabilities is enabled by default.

“Seagate’s handling of this disclosure has been poor, to say the least. Down-playing the issues in this way may lead customers into thinking that the vulnerability isn’t severe, resulting in a lack of action on the customer’s behalf. The lack of action in producing a fix for these issues is an indication of the level of importance Seagate places on keeping customers secure,” researchers said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.