Are you using Seagate Business NAS drives? An Australian security researcher reports that several Appliances Seagate NAS φέρουν σοβαρές αδυναμίες και πρέπει να παραμένουν προς το παρόν χωρίς σύνδεση στο Internet.
Beyond Binary's OJ Reeves says models Seagate Business NAS, up to version 2014.00319, comes with old versions of PHP, CodeIgniter, and Lighttpd. For all of these, there are vulnerabilities and they can be attacked remotely.
He went on to say that the web management application "contains a number of security-related issues".
H PHP 5.2.12 is vulnerable to the bug cve-2006-7.243, a file path specification bug while the Web interface present in Lightppd runs as root, meaning a successful exploit of the vulnerability will run as root.
CodeIgniter vulnerability is a little more complicated: there is a combination of two errors CVE-2014-8686 and CVE-2.014-8.687.
In the first error, PHP Session token του CodeIgniter περιλαμβάνει data which are controlled by the user and Beyond Binary states that it “allows users to extract the encryption and decryption key of the cookie content”.
"Once decrypted, users can modify the contents of the cookie and re-encrypt it before sending it back to the server."
Reeves, a former software developer who created Beyond Binary last year, said the discovery of device vulnerabilities Seagate Business NAS came from a routine scan on a client's network.
If you use the devices, disconnect them from the Internet until a patch is released that will fix them security gaps.
More technical details from the researcher's page.