Use disks Seagate Business NAS? An Australian security researcher reports that several Seagate NAS devices have serious vulnerabilities and should remain offline for the time being.
OJ Bee Binary's OJ Reeves says Seagate Business NAS, up to and including 2014.00319, has old versions of PHP, CodeIgniter, and Lighttpd. For all this, there are vulnerabilities and they can be attacked remotely.
He went on to say that the web management application "contains a number of security-related issues".
H PHP 5.2.12 is vulnerable to the CVE-2006-7.243 bug, a bug file path specification, and the Web link on Lightppd runs as root, that is, a successful exploitation of the vulnerability will run as root.
The CodeIgniter vulnerability is a bit more complex: there is a combination of two errors, of CVE-2014-8686 and CVE-2.014-8.687.
In the first error, PHP Session CodeIgniter's token contains user-controlled data, and Beyond Binary states that it “allows users to extract the key to encrypt and decrypt the cookie's content”.
"Once decrypted, users can modify the contents of the cookie and re-encrypt it before sending it back to the server."
Reeves, a former software developer who created Beyond Binary last year, said the discovery of device vulnerabilities Seagate Business NAS came from a routine scan at network of a customer.
If you use the devices you disconnect them from the Internet, until a patch is released that will fix the security gaps.
More technical details from the researcher's page.
