Advisories & news 

10 March 2015

Opinion: Seagate's Analysis is Incorrect

Opinion Seagate

Context

On March 1st 2015 Beyond Binary went public with an advisory that disclosed 0day flaws in Seagate Business Storage 2-Bay NAS devices. Days later, Seagate responded to the advisory through a number of channels:

  • A direct email to Beyond Binary.
  • A public announcement on their website.
  • An email to journalists who wrote news articles about the disclosure experience.

The email that was sent to Beyond Binary was as follows:

Dear OJ,

We appreciate your communication and willingness to work with Seagate in order to improve our products and ensure security for our customers.

We apologize that our communication did not result in a true collaboration and ultimately a timely vulnerability fix. We remain committed to our customer's security and have taken action to develop a patch for download, which is expected to be available May 2015.

We have also provided our customers with the following article should they want to take immediate action to secure their products.

http://knowledge.seagate.com/articles/en_US/FAQ/006133en?language=en_US

We welcome continued work with you and are available should you have any questions.

[name redacted] Engineering Director [phone redacted]

[name redacted] PR Manager [phone redacted]

Best regards, [name redacted]

This response was clearly lacking in detail compared to the response received by journalists:

Hi [name redacted],

I wanted to share the below statement from Seagate following your recent query with regards to the zero day threat targeting Seagate NAS devices

‘After careful analysis, Seagate has confirmed that the vulnerability on our Business Storage NAS products is low risk and affects only those Business Storage NAS products used on networks that are publicly accessible via the Internet.

With factory settings, Business NAS products are not vulnerable. The user has to intentionally change a default setting to become susceptible.

All Business Storage NAS customers are encouraged to follow the instructions outlined in the article linked below to ensure the product is secure and inaccessible by an unauthorized third party. Additionally, Seagate recommends as a best practice that customers secure their internal network by implementing a firewall.

For those customers who choose to keep their networks open, Seagate will be issuing a software patch for download expected May, 2015.

http://knowledge.seagate.com/articles/en_US/FAQ/006133en?language=en_US

We encourage you to update your articles and would welcome additional questions.’

Thanks, [name redacted]

It is not clear why the extra detail was excluded in the first email. However, what is clear is that both emails are attempting to control brand damage, and in down-playing the severity of the problem are misleading their customers.

Breakdown

After careful analysis, Seagate has confirmed that the vulnerability on our Business Storage NAS products is low risk ...

This is incorrect. The ability to perform remote code execution on any device as the root user, pre-authenticated, is not considered "low risk". According to the CVSS 2 scoring system, this vulnerability achieves a base score of 10: (AV:N/AC:L/Au:N/C:C/I:C/A:C).

... and affects only those Business Storage NAS products used on networks that are publicly accessible via the Internet.

This is also incorrect. Attackers simply need to be able to reach the device. It is possible to reach such devices via a number of paths including network pivots. This response also fails to take into account internal employees or other people with physical access to the same network (such as subcontractors). Prevention of public access to the device only reduces the CVSS 2 base score by 1.7 points to 8.3: (AV:A/AC:L/Au:N/C:C/I:C/A:C).

With factory settings, Business NAS products are not vulnerable. The user has to intentionally change a default setting to become susceptible.

Again, incorrect. The NAS device has a web-based administrative portal which is enabled by default. If the web portal is available, the device can be compromised, as this is where the vulnerable code lies. Seagate are, again, incorrectly claiming that devices that aren't Internet-facing are safe.

For those customers who choose to keep their networks open, Seagate will be issuing a software patch for download expected May, 2015.

This timeline is unacceptable. May 2015 is 6 months after the initial disclosure and 4 months after the second disclosure. Resolution of the problems should be considered a much higher priority and a patch should be made available much sooner. This timeline is another indication of the level of commitment that Seagate has towards protecting its customers.

Conclusion

Seagate's handling of this disclosure has been poor, to say the least. Down-playing the issues in this way may lead customers into thinking that the vulnerability isn't severe, resulting in a lack of action on the customer's behalf. The lack of action in producing a fix for these issues is an indication of the level of importance Seagate places on keeping customers secure.

To those people considering purchasing a NAS solution, Beyond Binary recommends considering other vendors with a more proactive and responsive security position.