Thousands of Seagate Network Attached Storage (NAS) devices are defenseless against a zero-day remote code execution (RCE) vulnerability. Back in October, security researcher OJ Reeves attempted to responsibly disclose the hole in Seagate’s Business Storage 2-Bay NAS products, which ironically use a tagline of “deadlines happen. Be ready.” But Seagate still hasn’t issued a firmware fix, so Reeves has now publicly disclosed the bug.
“Products in this line that run firmware versions up to and including version 2014.00319 were found to be vulnerable to a number of issues that allow for remote code execution under the context of the root user,” Reeves wrote on Beyond Binary. “These vulnerabilities are exploitable without requiring any form of authorization on the device.” Reeves believes all previous firmware versions “are highly likely to contain the same vulnerabilities.”
“It’s basically a ‘push button, receive bacon’ situation,” Reeves told iDigitalTimes. By using Shodan, he found over 2,500 publicly exposed and vulnerable boxes on the web waiting to be popped.
Regarding responsible disclosure, Reeves said he tried starting on Oct. 7, but it was both time-consuming and unproductive; Seagate’s “front-line support team repeatedly failed to direct the query to the relevant point of contact.” He later bypassed the oxymoron "support" staff and dealt with a security contact who seemed concerned in the “early stages.” Yet Seagate still took no action and had no timeline for a fix. So today, March 1, Reeves went public with the zero-day.
Seagate Business NAS products have a web-enabled management application that admins can use to configure functions, setup access control, add users and groups, create data backups for Windows and more.
Reeves explained that the web app was built using three core technologies that are way out of date and riddled with security vulnerabilities: PHP version 5.2.13 which was released in Feb. 2010, CodeIgniter 2.1.0 which was released in Nov. 2011, and Lighttpd 1.4.28 which was released in August 2010.
Regarding the session tokens created by the version of CodeIgniter used by Seagate, the encryption key is not unique; in other words, the “encryption key that is used is exactly the same for every instance.” Seagate’s custom web app “does not appear to maintain session-related information on the web server side. All of the information relevant to a user session is stored inside the session cookie prior to it being encrypted and sent to the browser.”
The cookie contains string values for username, is_admin and language. Reeves said:
Once a session has been established and the username field is present in the cookie, the system does no further validation of user credentials. This means that if a user can manipulate this value directly, instead of attempting to log in the standard way, they can bypass the login mechanism completely.
Direct modification (or addition) of the is_admin value allows a user to self-elevate to administrative privileges in the web application itself.
The fact that a static session encryption key is in use across all instances of the NAS means that once a user has a valid session cookie on one instance, they can apply that same cookie directly to another instance and acquire the same level of access. In short, once a user is logged in as admin on one instance, they’re effectively admin on every instance.
An attacker could manipulate the language parameter “for exploitation of a local file inclusion vulnerability.” He added, “Finally, the web application is being served by an instance of Lighttpd that is running under the context of the root user. Hence, any successful exploitation results in activities being conducted as root.”
Additionally, “instances of the NAS housed inside an organization are likely to contain passwords that are reused by domain users.” Since “the MD5 hashes are very easy to crack,” Reeves said “an attacker could easily acquire domain credentials once the NAS has been compromised.”
As for remediation, Reeves said:
At the time of writing there is no firmware version available for download that contains fixes for the issues listed in this advisory. It is recommended that consumers of these Seagate Business NAS products (and other products using vulnerable firmware) ensure that devices are not accessible via the public Internet. For internal use, it is recommended that the devices be located behind a firewall configured to allow only a trusted set of IP addresses to connect to the web interface.
Now that Reeves publicly released the Seagate NAS zero-day advisory, it’s likely Seagate will respond to the unpleasant PR with the appropriate security reaction of releasing a fix.
Seagate sent the following statement:
Security and data privacy are a priority for Seagate. We are aware of the vulnerability report and will take appropriate action to resolve.
Seagate admits the flaw is real, but won't patch until May. Below is the official statement:
‘After careful analysis, Seagate has confirmed that the vulnerability on our Business Storage NAS products is low risk and affects only those Business Storage NAS products used on networks that are publicly accessible via the Internet.
With factory settings, Business NAS products are not vulnerable. The user has to intentionally change a default setting to become susceptible.
All Business Storage NAS customers are encouraged to follow the instructions outlined in the article linked below to ensure the product is secure and inaccessible by an unauthorized third party. Additionally, Seagate recommends as a best practice that customers secure their internal network by implementing a firewall.
For those customers who choose to keep their networks open, Seagate will be issuing a software patch for download expected May, 2015.