Seagate has confirmed the existence of vulnerabilities in Business Storage 2-Bay NAS devices and promised to patch the issues in May.
However, the company has rated the flaws as “low risk” and noted that only network-attached storage (NAS) solutions used on networks that are publicly accessible via the Internet are vulnerable.
Seagate says Business NAS products are not vulnerable to attacks if their default settings haven’t been been changed by the user. The company has published an advisory containing steps that can be taken to avoid exposure.
On the other hand, Beyond Binary, the security consultancy that disclosed the flaws, disagrees with Seagate’s analysis. The researchers believe the data storage giant is trying to “control brand damage.”
Beyond Binary has found a way to remotely execute arbitrary code with root privileges on Seagate Storage 2-Bay NAS devices by leveraging a combination of vulnerabilities in the Web-based management console that allows Seagate customers to configure the devices.
The security firm, which has identified more than 2,500 devices exposed on the Internet, says the bugs affect products running version 2014.00319 and prior of the firmware.
First of all, researchers have highlighted that the CVSS base score for the vulnerability is 10, so it should not be regarded as “low risk.” Furthermore, experts have pointed out that not only devices that are accessible via the Web are vulnerable, because attackers have other ways of reaching them.
“It is possible to reach such devices via a number of paths including network pivots. [Seagate’s] response also fails to take into account internal employees or other people with physical access to the same network (such as subcontractors),” Beyond Binary wrote in response to Seagate’s assessment.
Experts also claim that the devices are vulnerable in their default configuration because the Web-based management portal that contains the vulnerabilities is enabled by default.
“Seagate’s handling of this disclosure has been poor, to say the least. Down-playing the issues in this way may lead customers into thinking that the vulnerability isn’t severe, resulting in a lack of action on the customer’s behalf. The lack of action in producing a fix for these issues is an indication of the level of importance Seagate places on keeping customers secure,” researchers said.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
