Many vulnerabilities in Seagate Business NAS devices


Do you use Seagate Business NAS Trays? An Australian security researcher reports that several Seagate NAS devices have serious weaknesses and should remain for the time being without an Internet connection.lock security Seagate Business NAS

OJ Bee Binary's OJ Reeves says Seagate Business NAS, up to and including 2014.00319, has old versions of PHP, CodeIgniter, and Lighttpd. For all this, there are vulnerabilities and they can be attacked remotely.

He went on to say that the web management application "contains a number of security-related issues".

H PHP 5.2.12 is vulnerable to the CVE-2006-7.243 bug, a bug file path specification, and the Web link on Lightppd runs as root, that is, a successful exploitation of the vulnerability will run as root.

CodeIgniter vulnerability is a little more complicated: there is a combination of two errors CVE-2014-8686 and CVE-2.014-8.687.

In the first error, CodeIgniter's PHP session token contains user-controlled data, and Beyond Binary states that it "allows users to extract the key to encrypt and decrypt the cookie content."

"Once decrypted, users can modify the contents of the cookie and re-encrypt it before sending it back to the server."

Reeves, a former software developer who created Beyond Binary last year, said the discovery of device vulnerabilities Seagate Business NAS came from a routine scan on a client's network.

If you use the devices you disconnect them from the Internet, until a patch is released that will fix the security gaps.

More technical details from the researcher's page.

Registration in iGuRu.gr via Email

Enter your email to subscribe to the email notification service for new posts.


Read them Technology News from all over the world, with the validity of iGuRu.gr

Follow us on Google News iGuRu.gr at Google news