Tangible Announcements

McLean, VA, September 2, 2015,

Tangible Security researchers Mike Baucom, J. Rach, and Allen Harper discovered critical vulnerabilities in a wireless network storage device by Seagate.

The following devices with firmware versions 2.2.0.005 and 2.3.0.014, dating to October 2014, are vulnerable to three attack vectors (below). Other firmware versions may be affected.
  • Seagate Wireless Plus Mobile Storage
  • Seagate Wireless Mobile Storage
  • LaCie FUEL
With products from large vendors such as Seagate, there tend to be numerous product names for basically the same product under the same vendor’s name or another vendor. Tangible Security cannot enumerate all of the named products as well as Seagate. Other named products may be affected.

The vulnerabilities are:

Use of Hard-coded Credentials
  • Vulnerability Description: The affected device firmware contains undocumented Telnet services accessible by using the default credentials of 'root' as username and the default password
  • Impact Description: an attacker can covertly take control of the device, not only compromising the confidentiality of files stored on it but use it as a platform to conduct malicious operations beyond the device
  • CVE-2015-2874
  • CWE-798
Direct Request ('Forced Browsing')
  • Vulnerability Description: The affected device firmware provides unrestricted file download capability
  • Impact Description: Attackers can gain access all files stored in affected devices. This vulnerability requires attackers to be within range of the device’s wireless network
  • CVE-2015-2875
  • CWE-425
Unrestricted Upload of File with Dangerous Type
  • Vulnerability Description: The affected device firmware provides a file upload capability to the device's /media/sda2 file system, which is reserved for the file sharing
  • Impact Description: this vulnerability requires attackers to be within range of the device’s wireless network, who can upload files onto it. If such files were maliciously crafted, they could compromise other endpoints when the files are opened
  • CVE-2015-2876
  • CWE-434
Tangible Security is unaware of any public exploits of these vulnerabilities. However, due to the categorization of these vulnerabilities, it may be reasonable to believe that cyber criminals are doing so.

Solution Seagate has posted firmware updates that patch these vulnerabilities. [https://apps1.seagate.com/downloads/request.html]

We urge users of these devices, including older and newer models, to download and install the latest firmware updates available from Seagate that address these vulnerabilities. Failing to do so exposes those benefiting from the use of these devices to cyber crime risks.

Timeline:
  • Vendor contacted and details of vulnerabilities disclosed - March 18, 2015
  • Vendor confirmed vulnerabilities - March 30, 2015
  • Patch tested/confirmed by Tangible Security - July 8, 2015
  • US CERT coordinates release of advisory with vendor - July 20, 2015
  • US CERT publishes advisory- September 1, 2015
Our researchers wish to express their appreciation for the cooperation of Seagate and the CERT(R) Coordination Center of the Software Engineering Institute at Carnegie Mellon University. We share their desire to make Internet of Things products more secure.