Monday, 2 March 2015

Criticism Leak Discovered In Seagate NAS Systems


A researcher has a critical vulnerability in several NAS hard drive manufacturer Seagate discovered that an attacker can potentially thousands of these devices on the internet can take over, but despite months of communication about the problem, there is still no update for affected users are available.

The problem is in the Seagate Business NAS systems, according to the researcher Beyond Binary be used by both consumers and businesses. Through the systems, it is possible to store data and to share. To create users, set access rights, file management and other issues are the NAS systems provide a web management application.

The researcher discovered that this application is based on three outdated technologies, namely PHP version 5.2.13 (2010), CodeIgniter 2.1.0 (2011) and Lighttpd 4.1.28 (2010). The versions of PHP and CodeIgniter contain several vulnerabilities. In addition, also found problems in the application developed by Seagate. An attacker who adapts the session cookie can therefore eventually execute code as the user "root".

Meanwhile, there are a Metasploit module and a Python script developed to vulnerable systems can be attacked. The requirement is that the NAS can be accessed via the internet. A search via the search engine Shodan yielded more than 2,500 potentially vulnerable NAS systems. The problem has been confirmed on NAS systems with firmware 2014.00319 and 2013.60311, but the researcher suggests that basically all firmware versions are vulnerable.

In addition to the access data to attack the NAS systems within an organization can have far greater consequences. The NAS does not work with Active Directory or LDAP. Therefore they need the password for each user who needs access locally. These passwords are vulnerable through the MD5 hashing algorithm hashed. According to the researcher NAS systems at companies are undoubtedly contain passwords that are reused by domain users. An attacker who has access to the NAS can thus steal the MD5 hashes and crack, and discover the domain data.

Despite the severity of the problem, there is no update available, and the question is whether that will come. On 7 October 2014, the researcher reported the problem to Seagate. Then followed sorts messages where it appeared difficult for the investigation to catch the right person. Late January a Seagate employee could reproduce the problem using the supplied exploit. The researcher stated on January 17 that he wanted to publish the issue on 1 March.

However, this did not lead to an update since last Thursday Seagate said that there is no solution yet available. Users who want to protect themselves get therefore advised to make the NAS not accessible from the public Internet and placing the devices behind a firewall and only give several reliable IP addresses access.

No comments:

Post a Comment