Χρησιμοποιείτε δίσκους Seagate Business NAS; Ένας Αυστραλός ερευνητής security αναφέρει ότι αρκετές Appliances Seagate NAS have serious weaknesses and should remain offline for the time being.
Beyond Binary's OJ Reeves says models Seagate Business NAS, up to version 2014.00319, comes with old versions of PHP, CodeIgniter, and Lighttpd. For all of these, there are vulnerabilities and they can be attacked remotely.
He went on to say that the web management application "contains a number of security-related issues".
H PHP 5.2.12 is vulnerable to the CVE-2006-7.243 bug, a bug file path specification, and the Web link on Lightppd runs as root, that is, a successful exploitation of the vulnerability will run as root.
The CodeIgniter vulnerability is a bit more complex: there is a combination of two errors, of CVE-2014-8686 and CVE-2.014-8.687.
In the first bug, CodeIgniter's PHP session token includes user-controlled data, and Beyond Binary says it “allows users to extract the key encryptionand decryption of the cookie content".
"Once decrypted, users can modify the contents of the cookie and re-encrypt it before sending it back to the server."
Reeves, a former software developer who created Beyond Binary last year, said the discovery of device vulnerabilities Seagate Business NAS came from a routine scan on a client's network.
If you use the devices you disconnect them from the Internet, until a patch is released that will fix the security gaps.
More technical details from the researcher's page.
