A two-bay Seagate network attached storage unit

Organizations using Seagate Technology’s Business Storage NAS systems are being cautioned to take steps to avoid the arrays being remotely hacked through the Internet.

Seagate has issued an advisory that it is “an unlikely scenario” because the systems would only be at risk if they are connected to the Internet. However, the disk manufacturer said there are things an owner can do to avoid the exposure of the NAS.

These include disabling UPnP Port Forwarding in the unit’s Manager Page software, or, if Port Forwarding was set up manually in the router, disabling mapping for HTTP and HTTPS protocol related to the Seagate NAS box through the router’s Web setup page.

According to Threat Post, a software patch will be issued in May. The company told the site that with factory settings, Business NAS products “are not vulnerable. The user has to intentionally change a default setting to become susceptible.”

Threat Post said the issue came to light last week when an Australian security company tried and failed to get Seagate to quickly issue a fix to a problem it found. It said Seagate Business Storage boxes running firmware version up to and including 2014.00319 are vulnerable and exploitable without authorization.

The Business Storage line is aimed at SMBs. According to Threat Post, Beyond Binary says the issue stems from a number of outdated components upon which the NAS products’ web-based management application is built. The app is used to manage files, access control and user accounts. Beyond Binary says the outdated components include versions of PHP and Lighttpd from 2010 and a version of CodeIgniter from late 2011, all of which have their own set of vulnerabilities. But they have been addressed in later versions of the respective components.

Hackers can abuse each of these to lace the code with additional files and executables, or extract an encryption key to open up new avenues of attack, Beyond Binary said.