[German]Do you own a Seagate NAS device? Seagate has fixed quietly a security vulnerability in the firmware of their Seagate Personal Cloud Home Media Storage.
Seagate Personal Cloud Home Media is a Network Attached Storage device, providing also a media server – which is a quite popular feature in such home systems.
Unauthenticated command injections possible
The Media Server in Seagate Personal Cloud Home NAS drives is reachable via UPNP and DLNA (see). This Media Servers runs a a Django (Python) application. Security researcher Yorick Koster discovered two vulnerabilities within this app. If an attacker sends malformed requests to two files (getLogs and uploadTelemetry), he will be able to use command injections from Web interface to execute these commands on the NAS’s firmware.
Koster developed a proof-of-concept-code for these vulnerabilities. He was able, to use remote SSH access to NAS and changes the root password.
Bug not easily exploitable
Bleeping Computer, who reported this, writes, that the vulnerability isn’t easily exploitable, due to the fact, that the Medien Server is just reachable from a local network. An attacker need to convince a user to execute malware on a website, while the user has access to the NAS device. The DNSChanger Exploit kit is using this trick to access routers and IoT devices in networks.
Seagate patches silently
Security researcher Koster contacted Beyond Security’s SecuriTeam program, which then informed Seagate on behalf of Koster about the problem. Seagate was informed about the vulnerability on October 16, writes the Securi team in this advisory. While Seagate confirmed receiving the information, they refused to respond to the technical content. Also, no schedule for patches was mentioned and cooperation was denied.
Security researcher Koster told Bleeping Computer, that the NAS firmware has been patched recently. He pointed out to the changelog of the Seagate Personal Cloud firmware version 126.96.36.199. There Seagate wrote:
NAS OS version 188.8.131.52
- Fix for a security issue with Seagate Media Server API
- Google Drive Backup/Sync improvements
- Seagate Media Server Bug fixes
Finally, does any of you have the Seagate Personal Cloud NAS in operation? And if so, have you heard anything about this fix?