Seagate patches Personal Cloud NAS file deletion flaw

January 15, 2018 | 10:52

Tags: #cross-site-request-forgery #csrf #insecurity #nas #network-attached-storage #personal-cloud #security #vulnerability #yorick-koster

Companies: #seagate

Owners of Seagate Personal Cloud network-attached storage (NAS) products are advised to upgrade to firmware release as soon as possible, following the discovery of a remotely exploitable security vulnerability which allows for deletion of arbitrary files and directories.

Designed for home, rather than business, use, Seagate's Personal Cloud products come in single- and two-drive variants and provide built-in software for everything from direct file sharing and backup to connection through to external services including Google Drive and Dropbox. Unfortunately, a security vulnerability in releases prior to has been discovered and which allows attackers to delete arbitrary directories and files stored on the device without the need to authenticate with a valid user account.

According to a mailing list message posted by security researcher Yorick Koster over the weekend, the vulnerability stems from a lack of protection against cross-site request forgery (CSRF) attacks. Although the vulnerability is not directly exploitable on the device without ports being forwarded on a router for public access, it can be triggered from any machine on the same network via a malicious website or other script - and because Seagate's Media Server software runs with super-user privileges, the attacker is then free to delete, but not view, any data stored on the device.

Seagate has confirmed the vulnerability and has released a fix in the form of firmware, which is a recommended upgrade for all Personal Cloud users. Details of the new release are available on the official website, while the firmware update itself can be accessed by putting a valid series number into the company's firmware finder.

Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04