Seagate Business NAS that run firmware versions up to and including version 2014.00319 were found to be vulnerable to a number of issues that allow for remote root code execution.These vulnerabilities are exploitable without requiring any form of authorisation.
Seagate Business NAS products come with outdated software :
- PHP version 5.2.13 (CVE-2006-7243)
- CodeIgniter 2.1.0 (CVE-2014-8686, CVE-2014-8686, CVE-2014-8687)
Public exploits are available.
Thousands of exploitable NAS are publicly exposed on the Internet according to Shodan.
Seagate was notified of the flaws in last September by Beyond Binary, who discovered the NAS vulnerability.
After a 100 days without a patch from the vendor, Beyond Binary released the public advisory.
