An Australian security researcher says a bunch of Seagate NAS devices carry serious vulnerabilities and should be kept away from the Internet.
OJ Reeves of Beyond Binary says the Seagate Business NAS line, up to version 2014.00319, carries old versions of PHP, CodeIgniter and Lighttpd. All of these, the post notes, have remotely exploitable vulnerabilities.
As well as these, the company's post says the admin application "contains a number of security-related issues”.
PHP 5.2.12 is vulnerable to CVE-2006-7243, a file path specification bug; while the Web interface running on Lightppd runs as root, meaning any successful exploitation also runs as root.
In the first of these, the PHP session token CodeIgniter creates: it includes user-controllable data which Beyond Binary says “makes it possible for users to extract the encryption key and decrypt the content of the cookie”.
“Once decrypted, users can modify the content of the cookie and re-encrypt it prior to submitting it back to the server, resulting in other potential attack vectors including PHP object injection”.
And, in a bug scenario that's depressingly common in the hardware market, all of the vulnerable NAS units ship the same encryption key for all CodeIgniter instances instead of generating a unique key for each box.
Reeves, a former software developer who set up Beyond Binary last year, told The Register the discovery of the vulnerabilities turned up in a routine scan of a customer's network.
He said the structure of Web traffic to and from the NAS boxes suggested some of the older vulnerabilities, and on deeper investigation, he discovered the single CodeIgniter session key issue.
“CodeIngiter requires a key that encrypts cookies,” Reeves told Vulture South. Since all units use the same key, “that lets you take your current cookie, and apply it to another machine to get administration privileges.”
The Register has approached Seagate for comment. Seagate has responded to say it will "take appropriate action to resolve" the issue. ®