search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Seagate and LaCie wireless storage products contain multiple vulnerabilities

Vulnerability Note VU#903500

Original Release Date: 2015-09-01 | Last Revised: 2015-12-08

Overview

Multiple Seagate wireless storage products contain multiple vulnerabilities.

Description

CWE-798: Use of Hard-coded Credentials - CVE-2015-2874

Some Seagate wireless storage products provide undocumented Telnet services accessible by using the default credentials of 'root' as username and the default password.

CWE-425: Direct Request ('Forced Browsing') - CVE-2015-2875

Under a default configuration, some Seagate wireless storage products provides an unrestricted file download capability to anonymous attackers with wireless access to the device. An attacker can directly download files from anywhere on the filesystem.

CWE-434: Unrestricted Upload of File with Dangerous Type - CVE-2015-2876

Under a default configuration, some Seagate wireless storage products provides a file upload capability to anonymous attackers with wireless access to the device's /media/sda2 filesystem. This filesystem is reserved for file-sharing.

These vulnerabilities were confirmed by the reporter as existing in firmware versions 2.2.0.005 and 2.3.0.014, dating to October 2014. Other firmware versions may be affected.

The following devices are impacted by this issue:

Impact

A remote unauthenticated attacker may access arbitrary files on the storage device, or gain root access to the device.

Solution

Update the firmware
Seagate has released firmware 3.4.1.105 to address these issues in all affected devices. Affected users are encouraged to update the firmware as soon as possible. Customers may download the firmware from Seagate's website. Seagate encourages any customer encountering issues to contact customer service at 1-800-SEAGATE.

Vendor Information

903500
Expand all

LaCie

Updated:  September 08, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The LaCie FUEL is affected (note that LaCie is a subsidiary of Seagate since 2012). Seagate has released firmware 3.4.1.105 to address these issues in all affected devices. Affected users are encouraged to update the firmware as soon as possible. Customers may download the firmware from Seagate's website. Seagate encourages any customer encountering issues to contact customer service at 1-800-SEAGATE.

Vendor References

https://apps1.seagate.com/downloads/request.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Seagate Technology LLC

Updated:  September 07, 2015

Statement Date:   July 20, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The following devices are impacted by this issue:

Seagate has released firmware 3.4.1.105 to address these issues in all affected devices. Affected users are encouraged to update the firmware as soon as possible. Customers may download the firmware from

Vendor References

https://apps1.seagate.com/downloads/request.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 7.7 AV:A/AC:L/Au:S/C:C/I:C/A:C
Temporal 6.0 E:POC/RL:OF/RC:C
Environmental 4.5 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Mike Baucom, Allen Harper, and J. Rach of Tangible Security for reporting this vulnerability to us. Tangible Security would also like to publically thank Seagate for their cooperation and desire to make their products and customers more secure. Also thanks to KoreLogic for reporting the GoFlex Satellite vulnerability to Seagate and working with Seagate on a resolution.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-2874, CVE-2015-2875, CVE-2015-2876
Date Public: 2015-09-01
Date First Published: 2015-09-01
Date Last Updated: 2015-12-08 23:01 UTC
Document Revision: 64

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.