A critical zero-day vulnerability affects Network Attached Storage (NAS) device software produced by the Seagate firm. The vulnerability was discovered by the security researcher OJ Reeves on October 7 and reported to Seagate that still hasn’t fixed the zero-day.
The Seagate Business Storage 2-Bay NAS product is affected by a critical Remote Code Execution vulnerability, the experts speculate that thousands of users are potentially exposed to risk of cyber attack. First analysis revealed that at least 2,500 Seagate NAS are exposed on the Internet.
Reeves explained that attackers need to share the same network segment in order to exploit the flaw and gain root access of the vulnerable NAS, without the need of a valid login. Reeves also released on Github a python script along with a Metasploit module version to exploit the vulnerability.
The NAS Seagate’s Business Storage 2-Bay NAS, like many other devices, exposes a web-enabled management console that could be used to configure it. In the specific case the management console is composed of out-dated versions of popular software:
PHP version 5.2.13 is affected by the CVE-2006-7243 vulnerability that allows user-controlled data to prematurely terminate file paths, allowing for full control over the file extension. CodeIgniter version used by the Seagate NAS is affected by the CVE-2014-8686 vulnerability that allows an attacker to extract the encryption key and decrypt the content of the cookie.
“All three of these technologies are clearly out of date, and the listed versions of PHP and CodeIgniter are known to have security issues. On top of these technologies sits a custom PHP application, which itself contains a number of security-related issues. Details of each key issue are listed below.” states Reeves in a blog post.
“The fact that a static session encryption key is in use across all instances of the NAS means that once a user has a valid session cookie on one instance, they can apply that same cookie directly to another instance and acquire the same level of access. In short, once a user is logged in as admin on one instance, they’re effectively admin on every instance,” Reeves explained in an advisory.
According to the expert, there are two different network storage devices made by Seagate found to be vulnerable because are running flawed versions of the Seagate NAS firmware, but Reeves believes that all versions of Business Storage 2-Bay NAS product prior to 2014.00319 are affected by the same zero-day. The version affected by the flaw are:
Reeves provided also a Metasploit module and a Python script that could be used for testing. Unfortunately, there is no patch for the vulnerability, the only way to mitigate the risk of attacks is to isolate the device controlling the access an allowing interaction with a limited number of IP addresses.