Although wireless hard drives provide a convenient, untethered way to back up data, it’s still critically important to keep the firmware on the wireless drives up-to-date. Seagate is advising users of its Wireless Mobile Storage and LaCie FUEL hard drives to update the embedded firmware to patch for multiple known vulnerabilities that could potentially enable a remote attacker to gain unauthorized access to a user’s information.
In new firmware updates, Seagate is patching for three vulnerabilities (CVE-2015-2874, CVE-2015-2875 and CVE-2015-2876). Researchers from Tangible Security reported the vulnerabilities on March 28 to Seagate, which patched them on Sept. 1. According to Tangible Security, the flaws have been present in Seagate’s devices since October 2014.
Among the flaws that Seagate is patching is a hard-coded administrative credentials issue (CVE-2015-2874). The hard-coded credentials included a default administrative account with the username and password of “root.” To add further insult to injury, the hard-coded credentials were included in an undocumented component of the Seagate firmware that enabled Telnet services. Security experts widely regard Telnet as an insecure protocol that should not be used because it doesn’t encrypt data.
Tangible Security warned that the impact of the CVE-2015-2874 vulnerability is that an attacker could take control of a user’s hard drive and also potentially use the device as a base from which to launch other attacks.
Another patched issue (CVE-2015-2875) is a direct-request, forced-browsing flaw.
“Under a default configuration, Seagate wireless hard drives provide an unrestricted file download capability to anonymous attackers with wireless access to the device,” CERT warns in a vulnerability note.
The third issue that Seagate is patching, CVE-2015-2876, is an “unrestricted upload of file with dangerous type” flaw. The issue is that the unpatched firmeware allows access to a section of the hard drive that is intended to be used for file-sharing.
“This vulnerability requires attackers to be within range of the device’s wireless network who can upload files onto it,” Tangible Security warns in its advisory. “If such files were maliciously crafted, they could compromise other endpoints when the files are opened,” to protect against known security vulnerabilities.”
Seagate Wireless Mobile Storage, Wireless Plus Mobile Storage and LaCie FUEL device owners should update their drives with the new 22.214.171.124 firmware version, which patches all three security issues. While the CERT advisory only covers three devices as being affected, Tangible Security warns that the risk may potentially extend further.
“With products from large vendors, such as Seagate, there tend to be numerous product names for basically the same product under the same vendor’s name or [that of] another vendor,” Tangible stated. “Tangible Security cannot enumerate all of the named products as well as Seagate. Other named products may be affected. “
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.