Yes our NAS boxen have a 0day, says Seagate: we'll fix it in May

Owners of some Seagate NAS boxen will be exposed to a remote execution zero day flaw until a patch drops in May unless they kill some external services.

The company learned of flaw in its Business Storage 2-bay NAS products on 18 October, 2014. Australian Beyond Binary hacker OJ Reeves alleged the company failed to fix the flaw or establish a reliable bug disclosure process.

"At the time of writing, Shodan reports that there are over 2500 publicly exposed devices on the internet that are likely to be vulnerable," Reeves wrote of the flaws.

Seagate has since told media it considers the vulnerability "low risk" as it affects Business Storage NAS products used on publicly-accessible networks.

As Vulture South reported versions up to 2014.00319 of the software powering the boxen contain remotely-exploitable versions of PHP (CVE-2006-7243), CodeIgniter and Lighttpd, which permit file path specification attacks and root exploitation.

The CodeIgniter vuln is a little more complex: there's a combination of two bugs, CVE-2014-8686 and CVE-2014-8687.

Seagate which previously told El Reg it would take "appropriate action" says remote hacking is "unlikely".

"Some customers are concerned about the risk of having their NAS remotely hacked through the internet," Seagate says.

"... this is an unlikely scenario."

It recommends customers kill UPnP port forwarding for web access and FTP service under the NAS administrator page, and slap firewalls in front of the boxes.

The PHP session token CodeIgniter creates includes user-controllable data which Beyond Binary says “makes it possible for users to extract the encryption key and decrypt the content of the cookie".

“Once decrypted, users can modify the content of the cookie and re-encrypt it prior to submitting it back to the server, resulting in other potential attack vectors including PHP object injection”.

Reeves says all vulnerable NAS boxes also ship an identical CodeIgniter encryption key. ®