Vulnerability Note VU#903500
Seagate and LaCie wireless storage products contain multiple vulnerabilities
Multiple Seagate wireless storage products contain multiple vulnerabilities.
CWE-798: Use of Hard-coded Credentials - CVE-2015-2874
Some Seagate wireless storage products provide undocumented Telnet services accessible by using the default credentials of 'root' as username and the default password.
A remote unauthenticated attacker may access arbitrary files on the storage device, or gain root access to the device.
Update the firmware
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|LaCie||Affected||-||08 Sep 2015|
|Seagate Technology LLC||Affected||-||07 Sep 2015|
CVSS Metrics (Learn More)
Thanks to Mike Baucom, Allen Harper, and J. Rach of Tangible Security for reporting this vulnerability to us. Tangible Security would also like to publically thank Seagate for their cooperation and desire to make their products and customers more secure. Also thanks to KoreLogic for reporting the GoFlex Satellite vulnerability to Seagate and working with Seagate on a resolution.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2015-2874 CVE-2015-2875 CVE-2015-2876
- Date Public: 01 Sep 2015
- Date First Published: 01 Sep 2015
- Date Last Updated: 08 Dec 2015
- Document Revision: 64
If you have feedback, comments, or additional information about this vulnerability, please send us email.