Vulnerability Note VU#515283
Seagate BlackArmor device static administrator password reset vulnerability
Overview
The Seagate BlackArmor network attached storage device contains a static administrator password reset vulnerability.
Description
The Seagate BlackArmor network attached storage device contain a static php file used to reset the administrator password. A remote unauthenticated attacker with access to the device's management web server can directly access the webpage, http://DevicesIpAddress/d41d8cd98f00b204e9800998ecf8427e.php and reset the administrator password. |
Impact
A remote unauthenticated attacker may be able to reset the administrator password of the device. |
Solution
Update The vendor has stated that updated firmware has been released that addresses this vulnerability. Updated firmware for 1, 2 and 4-bay Seagate BlackArmor devices can be found under the "Downloads" tab on vendor's support website. |
Restrict network access |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Seagate Technology LLC | Affected | 07 Mar 2012 | 17 Jul 2012 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Temporal | 5.8 | E:POC/RL:W/RC:UC |
| Environmental | 1.6 | CDP:L/TD:L/CR:ND/IR:ND/AR:ND |
References
- http://www.seagate.com/www/en-us/products/network_storage/blackarmor/
- http://www.seagate.com/support/external-hard-drives/network-storage/blackarmor-nas-110/
- http://www.seagate.com/support/external-hard-drives/network-storage/blackarmor-nas-220/
- http://www.seagate.com/support/external-hard-drives/network-storage/blackarmor-nas-440/
- http://forums.seagate.com/t5/BlackArmor-NAS-Network-Storage/Announcement-New-limited-release-firmware-is-available-for-all/td-p/164862
Credit
Thanks to Jason Ellison for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
- CVE IDs: CVE-2012-2568
- Date Public: 23 May 2012
- Date First Published: 23 May 2012
- Date Last Updated: 18 Jul 2012
- Document Revision: 29
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.