Seagate, LaCie hard drive vulnerabilities, firmware update available

Found on the Twitter feed of Frank Denis:

Note there is a firmware update. See the full Vulnerability Note, excerpted below:

http://www.kb.cert.org/vuls/id/903500

Vulnerability Note VU#903500
Seagate wireless hard-drives contain multiple vulnerabilities

Last revised: 02 Sep 2015

Multiple Seagate wireless hard-drives contain multiple vulnerabilities.

CWE-798: Use of Hard-coded Credentials – CVE-2015-2874
Seagate wireless hard-drives provides undocumented Telnet services accessible by using the default credentials of ‘root’ as username and the default password.

CWE-425: Direct Request (‘Forced Browsing’) – CVE-2015-2875
Under a default configuration, Seagate wireless hard-drives provides an unrestricted file download capability to anonymous attackers with wireless access to the device. An attacker can directly download files from anywhere on the filesystem.

CWE-434: Unrestricted Upload of File with Dangerous Type – CVE-2015-2876
Under a default configuration, Seagate wireless hard-drives provides a file upload capability to anonymous attackers with wireless access to the device’s /media/sda2 filesystem. This filesystem is reserved for the file-sharing.

These vulnerabilities were confirmed by the reporter as existing in firmware versions 2.2.0.005 and 2.3.0.014, dating to October 2014. Other firmware versions may be affected. The following devices are impacted by this issue: Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage,  and LaCie FUEL. Impact: A remote unauthenticated attacker may access arbitrary files on the harddrive, or gain root access to the device. Solution: Update the firmware.  Seagate has released firmware 3.4.1.105 to address these issues in all affected devices. Affected users are encouraged to update the firmware as so on as possible. Customers may download the firmware from Seagate’s website. Seagate encourages any customer encountering issues to contact customer service at 1-800-SEAGATE.

https://apps1.seagate.com/downloads/request.html
http://knowledge.seagate.com/articles/en_US/FAQ/207931en
http://cwe.mitre.org/data/definitions/425.html
http://cwe.mitre.org/data/definitions/434.html
http://cwe.mitre.org/data/definitions/798.html

US-CERT vulnerability note on DSL routers

US-CERT has issued a Vulnerability Note (VU#950576) for some DSL routers, excerpted below, see US-CERT note for full details:

DSL routers contain hard-coded “XXXXairocon” credentials

DSL routers by ASUS, DIGICOM, Observa Telecom, Philippine Long Distance Telephone (PLDT), and ZTE contain hard-coded “XXXXairocon” credentials

CWE-798: Use of Hard-coded Credentials

DSL routers, including the ASUS DSL-N12E, DIGICOM DG-5524T, Observa Telecom RTA01N, Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN, and ZTE ZXV10 W300 contain hard-coded credentials that are useable in the telnet service on the device. In the ASUS, DIGICOM, Observa Telecom, and ZTE devices, the username is “admin,” in the PLDT device, the user name is “adminpldt,” and in all affected devices, the password is “XXXXairocon” where “XXXX” is the last four characters of the device’s MAC address. The MAC address may be obtainable over SNMP with community string public. The vulnerability was previously disclosed in VU#228886 and assigned CVE-2014-0329 for ZTE ZXV10 W300, but it was not known at the time that the same vulnerability affected products published by other vendors. The Observa Telecom RTA01N was previously disclosed on the Full Disclosure mailing list.

Impact: A remote attacker may utilize these credentials to gain administrator access to the device.

Solution: The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround: Restrict access: Enable firewall rules so the telnet service of the device is not accessible to untrusted sources. Enable firewall rules that block SNMP on the device.

Vendors impacted include: AsusTek, DIGICOM, Observa Telecom, Philippine Long Distance Telephone, and ZTE Corporation.

See CERT VU for full information:
http://www.kb.cert.org/vuls/id/950576

http://seclists.org/fulldisclosure/2015/May/129
https://www.kb.cert.org/vuls/id/228886
https://www.asus.com/Networking/DSLN12E/
http://www.digicom.com.hk/index.php?section=products&action=details&id=156#.VdzITpcuzl0
http://www.movistar.es/particulares/atencion-cliente/internet/adsl/equipamiento-adsl/routers/router-adsl-observa-rta01n-v2/