Seagate has confirmed the existence of vulnerabilities in Business Storage 2-Bay NAS devices and promised to patch the issues in May.
However, the company has rated the flaws as “low risk” and noted that only network-attached storage (NAS) solutions used on networks that are publicly accessible via the Internet are vulnerable.
Seagate says Business NAS products are not vulnerable to attacks if their default settings haven’t been been changed by the user. The company has published an advisory containing steps that can be taken to avoid exposure.
On the other hand, Beyond Binary, the security consultancy that disclosed the flaws, disagrees with Seagate’s analysis. The researchers believe the data storage giant is trying to “control brand damage.”
Beyond Binary has found a way to remotely execute arbitrary code with root privileges on Seagate Storage 2-Bay NAS devices by leveraging a combination of vulnerabilities in the Web-based management console that allows Seagate customers to configure the devices.
The security firm, which has identified more than 2,500 devices exposed on the Internet, says the bugs affect products running version 2014.00319 and prior of the firmware.
First of all, researchers have highlighted that the CVSS base score for the vulnerability is 10, so it should not be regarded as “low risk.” Furthermore, experts have pointed out that not only devices that are accessible via the Web are vulnerable, because attackers have other ways of reaching them.
“It is possible to reach such devices via a number of paths including network pivots. [Seagate’s] response also fails to take into account internal employees or other people with physical access to the same network (such as subcontractors),” Beyond Binary wrote in response to Seagate’s assessment.
Experts also claim that the devices are vulnerable in their default configuration because the Web-based management portal that contains the vulnerabilities is enabled by default.
“Seagate’s handling of this disclosure has been poor, to say the least. Down-playing the issues in this way may lead customers into thinking that the vulnerability isn’t severe, resulting in a lack of action on the customer’s behalf. The lack of action in producing a fix for these issues is an indication of the level of importance Seagate places on keeping customers secure,” researchers said.