After security researcher OJ Reeves publicly revealed the existence of a remote code execution zero-day flaw affecting Seagate’s Business Storage 2-Bay NAS line of products and published a Metasploit module and a standalone Python script that exploit the vulnerability, the company has finally commented the situation more extensively and has announced a patch:
“After careful analysis, Seagate has confirmed that the vulnerability on our Business Storage NAS products is low risk and affects only those Business Storage NAS products used on networks that are publicly accessible via the Internet.
With factory settings, Business NAS products are not vulnerable. The user has to intentionally change a default setting to become susceptible.
All Business Storage NAS customers are encouraged to follow the instructions outlined in this article to ensure the product is secure and inaccessible by an unauthorized third party. Additionally, Seagate recommends as a best practice that customers secure their internal network by implementing a firewall.
For those customers who choose to keep their networks open, Seagate will be issuing a software patch for download expected May, 2015.”
Update, March 24 2015: Seagate sent us the following update:
“Seagate’s initial assessment of the vulnerability reported in our Business Storage NAS focused on the risk to customers when the device is used in a typical deployment – home office or small business environment. We did not properly utilize CVSS reporting. As a result we understated the potential impact of the vulnerability to our customers.
We recommended that customers who own a Seagate Business Storage NAS 1-bay, 2-bay and 4-bay device ensure that these products are not accessible via the public Internet. Additionally, we recommend that access to the web interface of these products be protected by a firewall that is configured to allow only trusted IP addresses.
Seagate will release a patch to the firmware of these devices in April 2015.”