Seagate’s Business Storage 2-Bay NAS line of products, which is popular both with home and business users, sports a zero-day remote code execution vulnerability that can be easily exploited by attackers, security researcher OJ Reeves warned on Sunday.
“Products in this line that run firmware versions up to and including version 2014.00319 were found to be vulnerable to a number of issues that allow for remote code execution under the context of the root user. These vulnerabilities are exploitable without requiring any form of authorisation on the device,” he noted, adding that the danger is very real for the owners of most of the 2,500+ devices found exposed on the Internet via the Shodan search engine.
The devices with the aforementioned versions of the firmware are vulnerable because the web-enabled application used for managing the device is built upon three core technologies – PHP version 5.2.13, CodeIgniter 2.1.0, and Lighttpd 1.4.28 – that have been released years ago, are out of date, and sport known security issues.
“On top of these technologies sits a custom PHP application, which itself contains a number of security-related issues,” he noted, and explained the specific problems.
Reeves, who has discovered the flaw back in October 2014, contacted Seagate and responsibly disclosed it and provided a PoC and exploit for it. After a lot of back and forth, the company confirmed the issue, and said that they will work on a fix. Reeves set the final public disclosure date to 1st March 2015 (this Sunday), and kept to it after the company failed to provide a timeline for the release of the fix.
“At the time of writing there is no firmware version available for download that contains fixes for the issues listed in this advisory,” he explained and advised: “It is recommended that consumers of these Seagate Business NAS products (and other products using vulnerable firmware) ensure that devices are not accessible via the public Internet. For internal use, it is recommended that the devices be located behind a firewall configured to allow only a trusted set of IP addresses to connect to the web interface.”
UPDATE (March 9, 2015): Seagate has announced a software patch for May 2015.