Seagate patches Personal Cloud NAS file deletion flaw

January 15, 2018 // 10:52 a.m.

Tags: #cross-site-request-forgery #csrf #insecurity #nas #network-attached-storage #personal-cloud #security #vulnerability #yorick-koster

Owners of Seagate Personal Cloud network-attached storage (NAS) products are advised to upgrade to firmware release 4.3.18.0 as soon as possible, following the discovery of a remotely exploitable security vulnerability which allows for deletion of arbitrary files and directories.

Designed for home, rather than business, use, Seagate's Personal Cloud products come in single- and two-drive variants and provide built-in software for everything from direct file sharing and backup to connection through to external services including Google Drive and Dropbox. Unfortunately, a security vulnerability in releases prior to 4.3.18.0 has been discovered and which allows attackers to delete arbitrary directories and files stored on the device without the need to authenticate with a valid user account.

According to a mailing list message posted by security researcher Yorick Koster over the weekend, the vulnerability stems from a lack of protection against cross-site request forgery (CSRF) attacks. Although the vulnerability is not directly exploitable on the device without ports being forwarded on a router for public access, it can be triggered from any machine on the same network via a malicious website or other script - and because Seagate's Media Server software runs with super-user privileges, the attacker is then free to delete, but not view, any data stored on the device.

Seagate has confirmed the vulnerability and has released a fix in the form of firmware 4.3.18.0, which is a recommended upgrade for all Personal Cloud users. Details of the new release are available on the official website, while the firmware update itself can be accessed by putting a valid series number into the company's firmware finder.


Discuss this in the forums

QUICK COMMENT

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU