Seagate's NAS with a security vulnerability - be sure to update the firmware
Discovered vulnerability CVE-2018-5347 in the Media Server network application in Seagate Personal Cloud Home allowed the attacker to execute commands with root privileges on non-updated firmware versions older than 220.127.116.11.
In the published PoC, researcher Yorick Koster discovered errors in the security features of uploadTelemetry and getLogs in the views.py file - graphical software for obtaining remote (from the Internet) access to files on the device in the local network.
Is the gap serious? Not so much, because vulnerability can be used only from the local network, but ...
A person who manages to access the device (eg through specially designed malicious software delivered to the home / office network through malvertising or phishing or a drive-by attack) can start the SSH server on it and thus gain full access to the device with root privileges . The acquired NAS can be used to attack other users, send SPAM, pornographic material, participate in DDoS attacks and much more.
Seagate was informed about a security vulnerability on October 16, but refused to respond to technical requests.
However, the vulnerability has been patched "silently" in Seagate Personal Cloud, version 18.104.22.168.
There is nothing else to encourage to upgrade.
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.