Seagate BlackArmor device static administrator password reset vulnerability

Overview

The Seagate BlackArmor network attached storage device contains a static administrator password reset vulnerability.

Description

The Seagate BlackArmor network attached storage device contain a static php file used to reset the administrator password. A remote unauthenticated attacker with access to the device’s management web server can directly access the webpage, <http://DevicesIpAddress/d41d8cd98f00b204e9800998ecf8427e.php> and reset the administrator password.

---

Impact

A remote unauthenticated attacker may be able to reset the administrator password of the device.

---

Solution

Update

The vendor has stated that updated firmware has been released that addresses this vulnerability. Updated firmware for 1, 2 and 4-bay Seagate BlackArmor devices can be found under the “Downloads” tab on vendor’s support website.

The firmware versions that are reported to address this vulnerability are:
BlackArmorNAS 110: 1000.1301
BlackArmorNAS 220: 2000.1311
BlackArmorNAS 440: 4000.1391

---

Restrict network access

Restrict network access to the Seagate BlackArmor network attached storage devices system web interface and other devices using open protocols like HTTP.

---

Vendor Information

515283

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Seagate Technology LLC __ Affected

Notified: March 07, 2012 Updated: July 17, 2012

Statement Date: June 26, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Vendor release notes:

4000.1391:
Release Date: June 12th, 2012
File size: 36 MB

Feature Enhancement:
Complete overhaul of the Seagate Global Access service offering that includes:

Vendor References

• <http://www.seagate.com/support/external-hard-drives/network-storage/blackarmor-nas-110/&gt;
• <http://www.seagate.com/support/external-hard-drives/network-storage/blackarmor-nas-220/&gt;
• <http://www.seagate.com/support/external-hard-drives/network-storage/blackarmor-nas-440/&gt;
• <http://forums.seagate.com/t5/BlackArmor-NAS-Network-Storage/Announcement-New-limited-release-firmware-is-available-for-all/td-p/164862&gt;

CVSS Metrics

Group	Score	Vector
Base	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal	5.8	E:POC/RL:W/RC:UC
Environmental	1.6	CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

• <http://www.seagate.com/www/en-us/products/network_storage/blackarmor/&gt;
• <http://www.seagate.com/support/external-hard-drives/network-storage/blackarmor-nas-110/&gt;
• <http://www.seagate.com/support/external-hard-drives/network-storage/blackarmor-nas-220/&gt;
• <http://www.seagate.com/support/external-hard-drives/network-storage/blackarmor-nas-440/&gt;
• <http://forums.seagate.com/t5/BlackArmor-NAS-Network-Storage/Announcement-New-limited-release-firmware-is-available-for-all/td-p/164862&gt;

Acknowledgements

Thanks to Jason Ellison for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs:	CVE-2012-2568
Date Public:	2012-05-23 Date First Published: