Seagate currently fixed various vulnerabilities revealed by researchers in the company’s Personal Cloud and GoFlex products, but certain flaws influencing the occurring remain unpatched.
GoFlex Home Vulnerabilities
A researcher named Aditya K. Sood exposed vulnerabilities last year in September that can be oppressed for cross-site scripting (XSS) and man-in-the-middle (MitM) threats in Seagate’s GoFlex Home network-attached storage (NAS) product. GoFlex users are offered with a web service, which is accessible at seagateshare.com, and lets them to distantly handle the product and upload data files to the cloud. The specific service can be functioned practicing the name of the device, a username, and a password. An HTTP server exists in the GoFlex firmware needs port accelerating on the customer’s router so as to link to the web service.
The researcher further discovered that the embedded server yet assists SSLv2 and SSLv3, and the seagateshare.com service offers SSLv3. SSLv2 and SSLv3 are outdated protocols that are known to be susceptible to MitM threats, containing via the techniques called DROWN and POODLE. The researcher has recognized more than 50,000 Seagate devices “hosted on unique IP addresses” that have SSLv2 and SSLv3 permitted. The researcher also noted that the distinct name (device_id) of each device is not tough to discover. All through the tests he controlled, the expert handled to gather more than 17,000 distinct device IDs.
The researcher identified additional security hole which is an XSS marking the seagateshare.com website. A cyberpunk could have oppressed this vulnerability to implement harmful code in the framework of a customer’s browsing session by receiving the victim to click on a particularly crafted link. Whereas Seagate has patched the XSS susceptibility, the company communicated to the researcher it does not organize on stating the issue associated to the practice of SSLv2 and SSLv3. The researcher also revealed further technical details about his discoveries this Monday on the susceptibilities are available on his personal blog.
Personal Cloud Vulnerabilities
A researcher from Securify; named Yorick Koster also revealed some vulnerabilities recently and he further exposed in Seagate products. Precisely, he discovered that Personal Cloud NAS devices are influenced by command inoculation and an error of a file deletion. The security holes influence the Seagate Media Server application, which permits the users to access their photos, music and movies without any difficulty. The app can be functioned without verification and invalidated users can upload data files using a Public folder.
The command inoculation susceptibilities, trialed as CVE-2018-5347, let an invalidated cyberpunk to run random commands with source rights. The security holes can be oppressed distantly via Cross-Site Request Forgery – CSRF threats even if a device is not straightly linked to the Internet. The researcher also discovered that the Media Server app is influenced by a vulnerability that permits an invalidated cyberpunk to erase random files and folders from the NAS device. As Cross-Site Request Forgery securities are misplaced, this fix can also be oppressed distantly by receiving the directed user to function a particularly crafted website.
The susceptibilities determined by researcher were fixed by Seagate last year in December along with the launching of firmware version 18.104.22.168. Distinct advisories describing the command inoculation and error in file deletion, containing Proof-of-Concept – PoC code, were issued prior this month.