Overview
The Seagate BlackArmor network attached storage device contains a static administrator password reset vulnerability.
Description
The Seagate BlackArmor network attached storage device contain a static php file used to reset the administrator password. A remote unauthenticated attacker with access to the device's management web server can directly access the webpage, http://DevicesIpAddress/d41d8cd98f00b204e9800998ecf8427e.php and reset the administrator password. |
Impact
A remote unauthenticated attacker may be able to reset the administrator password of the device. |
Solution
Update The vendor has stated that updated firmware has been released that addresses this vulnerability. Updated firmware for 1, 2 and 4-bay Seagate BlackArmor devices can be found under the "Downloads" tab on vendor's support website. |
Restrict network access |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Temporal | 5.8 | E:POC/RL:W/RC:UC |
| Environmental | 1.6 | CDP:L/TD:L/CR:ND/IR:ND/AR:ND |
References
- http://www.seagate.com/www/en-us/products/network_storage/blackarmor/
- http://www.seagate.com/support/external-hard-drives/network-storage/blackarmor-nas-110/
- http://www.seagate.com/support/external-hard-drives/network-storage/blackarmor-nas-220/
- http://www.seagate.com/support/external-hard-drives/network-storage/blackarmor-nas-440/
- http://forums.seagate.com/t5/BlackArmor-NAS-Network-Storage/Announcement-New-limited-release-firmware-is-available-for-all/td-p/164862
Acknowledgements
Thanks to Jason Ellison for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
| CVE IDs: | CVE-2012-2568 |
| Date Public: | 2012-05-23 |
| Date First Published: | 2012-05-23 |
| Date Last Updated: | 2012-07-18 20:11 UTC |
| Document Revision: | 29 |