Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Seagate Downplays Risks Posed by Business NAS Flaws

Seagate has confirmed the existence of vulnerabilities in Business Storage 2-Bay NAS devices and promised to patch the issues in May.

However, the company has rated the flaws as “low risk” and noted that only network-attached storage (NAS) solutions used on networks that are publicly accessible via the Internet are vulnerable.

Seagate has confirmed the existence of vulnerabilities in Business Storage 2-Bay NAS devices and promised to patch the issues in May.

However, the company has rated the flaws as “low risk” and noted that only network-attached storage (NAS) solutions used on networks that are publicly accessible via the Internet are vulnerable.

Seagate says Business NAS products are not vulnerable to attacks if their default settings haven’t been been changed by the user. The company has published an advisory containing steps that can be taken to avoid exposure.

On the other hand, Beyond Binary, the security consultancy that disclosed the flaws, disagrees with Seagate’s analysis. The researchers believe the data storage giant is trying to “control brand damage.”

Beyond Binary has found a way to remotely execute arbitrary code with root privileges on Seagate Storage 2-Bay NAS devices by leveraging a combination of vulnerabilities in the Web-based management console that allows Seagate customers to configure the devices.

The security firm, which has identified more than 2,500 devices exposed on the Internet, says the bugs affect products running version 2014.00319 and prior of the firmware.

First of all, researchers have highlighted that the CVSS base score for the vulnerability is 10, so it should not be regarded as “low risk.” Furthermore, experts have pointed out that not only devices that are accessible via the Web are vulnerable, because attackers have other ways of reaching them.

“It is possible to reach such devices via a number of paths including network pivots. [Seagate’s] response also fails to take into account internal employees or other people with physical access to the same network (such as subcontractors),” Beyond Binary wrote in response to Seagate’s assessment.

Advertisement. Scroll to continue reading.

Experts also claim that the devices are vulnerable in their default configuration because the Web-based management portal that contains the vulnerabilities is enabled by default.

“Seagate’s handling of this disclosure has been poor, to say the least. Down-playing the issues in this way may lead customers into thinking that the vulnerability isn’t severe, resulting in a lack of action on the customer’s behalf. The lack of action in producing a fix for these issues is an indication of the level of importance Seagate places on keeping customers secure,” researchers said.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.