The Seagate 36C wireless hard-drive contains multiple vulnerabilities.
CVE-2015-2874
The Seagate 36C wireless hard-drive provides undocumented Telnet services accessible by using the default credentials of ‘root’ as username and the default password.
CVE-2015-2875
Under a default configuration, the Seagate 36C wireless hard-drive provides an unrestricted file download capability to anonymous attackers with wireless access to the device. An attacker can directly download files from anywhere on the filesystem.
CVE-2015-2876
Under a default configuration, the Seagate 36C wireless hard-drive provides a file upload capability to anonymous attackers with wireless access to the device’s /media/sda2 filesystem. This filesystem is reserved for the file-sharing.
Seagate has released firmware 3.4.1.105 to address these issues. Affected users are encouraged to update the firmware as soon as possible. Customers may download the firmware from Seagate’s website.
