Seagate's NAS with a security vulnerability - be sure to update the firmware

Discovered vulnerability CVE-2018-5347 in the Media Server network application in Seagate Personal Cloud Home allowed the attacker to execute commands with root privileges on non-updated firmware versions older than 4.3.18.0.

In the published PoC, researcher Yorick Koster discovered errors in the security features of uploadTelemetry and getLogs in the views.py file - graphical software for obtaining remote (from the Internet) access to files on the device in the local network.
Is the gap serious? Not so much, because vulnerability can be used only from the local network, but ...

A person who manages to access the device (eg through specially designed malicious software delivered to the home / office network through malvertising or phishing or a drive-by attack) can start the SSH server on it and thus gain full access to the device with root privileges . The acquired NAS can be used to attack other users, send SPAM, pornographic material, participate in DDoS attacks and much more.

Seagate was informed about a security vulnerability on October 16, but refused to respond to technical requests.

However, the vulnerability has been patched "silently" in Seagate Personal Cloud, version 4.3.18.0.

There is nothing else to encourage to upgrade.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.