30 May 2012

Seagate BlackArmor Storage Device Pierced with Password Reset Bug

A security vulnerability discovered in the BlackArmor line of network-attached storage devices from Seagate may lead to sensitive information theft, according to a vulnerability note by US-CERT.  

The BlackArmor series features a web-based administrative interface that allows an administrator to take control over the server and the data stored on it after logging in. If strong login credentials would usually prevent unauthorized parties to claim administrative access to the device, a bug in the password reset feature can allow practically anyone to take control of the NAS.

"The Seagate BlackArmor network attached storage device contains a static php file used to reset the administrator password," states the report. "A remote unauthenticated attacker with access to the device's management web server can directly access the webpage, d41d8cd98f00b204e9800998ecf8427e.php and reset the administrator password."

This security breach is particularly important as network-attached storage devices are targeted at businesses rather than regular end-users. In this context, any employee could gain privileged access to the company’s sensitive data such as HR information, payrolls or, even worse, intellectual property and business processes.

According to the same report, the vendor has released an emergency patch that addresses the vulnerability. Companies that own 1, 2 and 4-bay Seagate BlackArmor devices are advised to flash them with the updated firmware.