Seagate Patches for 3 Backdoor Security Vulnerabilities
Seagate issued patches for vulnerabilities in its wireless hard drives and is advising users to update the embedded firmware in the drives to fix the flaws.Although wireless hard drives provide a convenient, untethered way to back up data, it's still critically important to keep the firmware on the wireless drives up-to-date. Seagate is advising users of its Wireless Mobile Storage and LaCie FUEL hard drives to update the embedded firmware to patch for multiple known vulnerabilities that could potentially enable a remote attacker to gain unauthorized access to a user's information. In new firmware updates, Seagate is patching for three vulnerabilities (CVE-2015-2874, CVE-2015-2875 and CVE-2015-2876). Researchers from Tangible Security reported the vulnerabilities on March 28 to Seagate, which patched them on Sept. 1. According to Tangible Security, the flaws have been present in Seagate's devices since October 2014. Among the flaws that Seagate is patching is a hard-coded administrative credentials issue (CVE-2015-2874). The hard-coded credentials included a default administrative account with the username and password of "root." To add further insult to injury, the hard-coded credentials were included in an undocumented component of the Seagate firmware that enabled Telnet services. Security experts widely regard Telnet as an insecure protocol that should not be used because it doesn't encrypt data. Tangible Security warned that the impact of the CVE-2015-2874 vulnerability is that an attacker could take control of a user's hard drive and also potentially use the device as a base from which to launch other attacks.
Another patched issue (CVE-2015-2875) is a direct-request, forced-browsing flaw.