I have contacted Seagate regarding the following and was twice informed of a 90-day window for disclosure. I followed up to no response and have decided, following the culmination of those 90-days, to publish. The fact that embedded devices are vulnerable is not new. This is really not newsworthy, but perhaps we can aim higher? The Central NAS is not Seagate’s most popular model, but it does share code with other, more popular products such as the BlackArmor range. Vulnerabilities: - Web application allows unauthorized modification of IP address and hostname. - World-writable system files allow local users to compromise configuration and perform local privilege escalation. (I’ve been informed an updated firmware patch “somewhat” mitigates this, but is unconfirmed) - Common root password is set on all devices and /etc/shadow is world-readable. - Firmware updates are vulnerable to a MITM attack. These are performed over plain HTTP and are not signed, allowing attackers to readily deliver malicious payloads. - The NAS supports multi-user / multi-tenant operation. The files of these users are all set, by default, to mode 777. Users are given SSH access and may readily access and modify each other’s files. - The device exposes a phpinfo() page to unauthorized users (information disclosure). These issues were really low-hanging-fruit. I’m certain a number of remaining issues have yet to be discovered here, but for myself, I’m done. Finally, see the following blog post for more detail and a timeline of communications with the vendor:
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment