January 15, 2018 // 10:52 a.m.
Owners of Seagate Personal Cloud network-attached storage (NAS) products are advised to upgrade to firmware release 220.127.116.11 as soon as possible, following the discovery of a remotely exploitable security vulnerability which allows for deletion of arbitrary files and directories.
Designed for home, rather than business, use, Seagate's Personal Cloud products come in single- and two-drive variants and provide built-in software for everything from direct file sharing and backup to connection through to external services including Google Drive and Dropbox. Unfortunately, a security vulnerability in releases prior to 18.104.22.168 has been discovered and which allows attackers to delete arbitrary directories and files stored on the device without the need to authenticate with a valid user account.
According to a mailing list message posted by security researcher Yorick Koster over the weekend, the vulnerability stems from a lack of protection against cross-site request forgery (CSRF) attacks. Although the vulnerability is not directly exploitable on the device without ports being forwarded on a router for public access, it can be triggered from any machine on the same network via a malicious website or other script - and because Seagate's Media Server software runs with super-user privileges, the attacker is then free to delete, but not view, any data stored on the device.
Seagate has confirmed the vulnerability and has released a fix in the form of firmware 22.214.171.124, which is a recommended upgrade for all Personal Cloud users. Details of the new release are available on the official website, while the firmware update itself can be accessed by putting a valid series number into the company's firmware finder.