Seagate Quietly Patches Dangerous Bug in NAS Devices

[LASER_oneXM]

Seagate has patched a vulnerability in the firmware of the Seagate Personal Cloud Home Media Storage, a NAS (Network Attached Storage) product.

The vulnerability affects Media Server, a web application that runs on the NAS and allows users to interact with the data stored on the device via a network connection.

Two unauthenticated command injections found on Seagate NASes
The Media Server interface runs on top of a Django (Python) app. A security researcher named Yorick Koster discovered that if an attacker makes malformed requests to two files (getLogs and uploadTelemetry) he can trick the application into executing commands on the underlying device.

The flaw —named an unauthenticated command injection— allows attackers to run commands on the device's underlying firmware from its web management interface.

Koster put together proof-of-concept code that would use the flaw to enable remote SSH access on the Seagate NAS and then change its root password.

Flaws are not easy exploitable
But there's a catch. This interface can only be accessed from the local network. The only way to attack this flaw is by tricking a user into accessing the malformed URL while on the same network (LAN) with the NAS device.

This can be done either by phishing or by malvertising. Phishing can be used for targeted attacks, while malvertising can be used for mass exploitation.

An attacker could embed the attack code to exploit Seagate NAS devices inside ads. When the NAS owner accesses a site with the malicious ad, the ad's hidden code interacts with the vulnerable NAS device.

Such a scenario is not a far-flung fantasy. The DNSChanger exploit kit uses this very same trick for exploiting routers and IoT devices on closed local networks.

Seagate quietly patches issue
Koster has reached out to Beyond Security's SecuriTeam managed vulnerability program to inform Seagate of the issue he discovered. Beyond Security, on behalf of Koster, has reached out to Seagate.

"Seagate was informed of the vulnerability on October 16, but while acknowledging the receipt of the vulnerability information, refused to respond to the technical claims, to give a fix timeline or coordinate an advisory," Beyond Security wrote.

But Koster has told Bleeping Computer that while ignoring the vulnerability report, Seagate has quietly patched the flaws he reported.

"I can confirm it is fixed on my NAS," Koster told Bleeping Computer, pointing us to the Seagate Personal Cloud changelog for version 4.3.18.0.

We sent Seagate a request for comment on this bug report a few days back, but the company has yet to answer.

You know the drill Seagate Personal Cloud NAS owners. Get patchin'!