BEST OF THE WEB

Security warning issued for Seagate Business Storage NAS system

Organizations using Seagate Technology’s Business Storage NAS systems are being cautioned to take steps to avoid the arrays being remotely hacked through the Internet.

Seagate has issued an advisory that it is “an unlikely scenario” because the systems would only be at risk if they are connected to the Internet. However, the disk manufacturer said there are things an owner can do to avoid the exposure of the NAS.

These include disabling UPnP Port Forwarding in the unit’s Manager Page software, or, if Port Forwarding was set up manually in the router, disabling mapping for HTTP and HTTPS protocol related to the Seagate NAS box through the router’s Web setup page.

According to Threat Post, a software patch will be issued in May. The company told the site that with factory settings, Business NAS products “are not vulnerable. The user has to intentionally change a default setting to become susceptible.”

Threat Post said the issue came to light last week when an Australian security company tried and failed to get Seagate to quickly issue a fix to a problem it found. It said Seagate Business Storage boxes running firmware version up to and including 2014.00319 are vulnerable and exploitable without authorization.

The Business Storage line is aimed at SMBs. According to Threat Post, Beyond Binary says the issue stems from a number of outdated components upon which the NAS products’ web-based management application is built. The app is used to manage files, access control and user accounts. Beyond Binary says the outdated components include versions of PHP and Lighttpd from 2010 and a version of CodeIgniter from late 2011, all of which have their own set of vulnerabilities. But they have been addressed in later versions of the respective components.

Hackers can abuse each of these to lace the code with additional files and executables, or extract an encryption key to open up new avenues of attack, Beyond Binary said.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web