SaaS webservice for Seagate’s GoFlex Home Storage devices vulnerable to MiTM and XSS

Security expert found more than 33000 Seagate’s GoFlex Home network-attached storage (NAS) devices vulnerable exposed online.

Seagate has patched several vulnerabilities in its Personal Cloud and GoFlex products, but unfortunately, some flaws remain unpatched.

In September, researcher Aditya K. Sood discovered vulnerabilities that can be exploited by attackers to launch cross-site scripting (XSS) and man-in-the-middle (MitM) attacks against Seagate GoFlex Home NAS product.

GoFlex Home NAS devices run a web service accessible at seagateshare.com, that allows users to remotely manage the device and its content. Customers can access their storage by providing the device name, and login credentials.

Seagate’s GoFlex Home NAS

The GoFlex firmware runs an HTTP server that requires users to enable port forwarding on their router in order to connect to the web service.

Sood noticed that the HTTP server supports the obsolete protocols SSLv2 and SSLv3, while the web service seagateshare.com service supports SSLv3.

Both protocols expose the users to MiTM attacks, including DROWN and POODLE.

“It has been discovered that embedded server still supports SSLv2 / SSLv3 whereas the
seagateshare.com supports SSLv3. We have looked into 50,000+ devices that are running on unique IPs that have SSLv2/ SSLv3 enabled.” states the analysis published by the expert. “Additionally, during standard tests, we have collected 17000+ URLs of seagateshare.com with unique device_ids.” 

The expert also discovered an XSS in the seagateshare.com website that could be exploited by an attacker to execute malicious code in the context of a user’s browsing session by tricking the victim into clicking on a specially crafted link.

The bad news for Seagate users is that the company has only fixed the XSS flaw, it doesn’t plan on fixing the remaining issue related to the use of SSLv2 and SSLv3.


Pierluigi Paganini

(Security Affairs – Seagate’s GoFlex Home NAS, hacking)



 

The post SaaS webservice for Seagate’s GoFlex Home Storage devices vulnerable to MiTM and XSS appeared first on Security Affairs.



Leave a Reply