Many vulnerabilities in Seagate Business NAS devices

Are you using Seagate Business NAS drives? An Australian security researcher reports that several Seagate NAS φέρουν σοβαρές αδυναμίες και πρέπει να παραμένουν προς το παρόν χωρίς σύνδεση στο .lock security Seagate Business NAS

Beyond Binary's OJ Reeves says Seagate Business NAS, up to version 2014.00319, comes with old versions of PHP, CodeIgniter, and Lighttpd. For all of these, there are vulnerabilities and they can be attacked remotely.

He went on to say that the web management application "contains a number of security-related issues".

H PHP 5.2.12 is vulnerable to the bug -2006-7.243, a file path specification bug while the Web interface present in Lightppd runs as root, meaning a successful exploit of the vulnerability will run as root.

CodeIgniter vulnerability is a little more complicated: there is a combination of two errors CVE-2014-8686 and CVE-2.014-8.687.

In the first error, PHP token του CodeIgniter περιλαμβάνει which are controlled by the user and Beyond Binary states that it “allows users to extract the encryption and decryption key of the cookie content”.

"Once decrypted, users can modify the contents of the cookie and re-encrypt it before sending it back to the server."

Reeves, a former software developer who created Beyond Binary last year, said the discovery of device vulnerabilities Seagate Business NAS came from a routine scan on a client's network.

If you use the devices, disconnect them from the Internet until a patch is released that will fix them .

More technical details from the researcher's page.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).