14 DAY TRIAL // Administrators of Business Storage 2-Bay NAS systems from Seagate have to wait until May for a fix from the company to come, mitigating remote code execution risks disclosed at the beginning of the month.
Security consultancy company Beyond Binary revealed on March 1 that the firmware of some NAS devices from Seagate was built with PHP and CodeIgniter versions known to include vulnerabilities, while newer, safer versions of the two products are currently available for download.
Hacking NAS over the Internet is unlikely, Seagate says
The default configuration for Business Storage 2-Bay NAS restricts access to the storage unit from a remote location, which in some cases may be more of a necessity than just a convenient option.
At the time of the research, Australia-based Beyond Binary found more than 2,500 NAS devices running the faulty firmware revision (2014.00319) that could be accessed from the Internet. The researchers used Shodan search engine for connected hardware.
Seagate has downplayed the security risks users are exposed to saying that having the NAS hacked through the Internet is an unlikely scenario. However, the company published instructions for securing the devices.
Beyond Binary has developed and published a Metasploit module and a Python script that automate exploitation of the flaws.
The number of exposed units may not be large, but considering that the product line is intended for business use, compromising them would cause a lot of damage to their owners.
Risk confirmed, company issues interim solution
Prior to going public with the results of the research, the security company contacted Seagate starting October 2014, and disclosed the flaws.
Seagate acknowledged the validity of the received proof-of-concept but did not indicate that a new firmware was in the works.
Until an update becomes available in May (a more accurate release date is not available), Seagate recommends users to disable the UPnP port forwarding and FTP service from the management page of the Business Storage NAS.
A note has been provided saying that remote access to the unit through Global Access or TappIn software is still possible, allowing actions such as upload, download and working to stored files and folders.