Sign in / up

back to article Yes our NAS boxen have a 0day, says Seagate: we'll fix it in May

Owners of some Seagate NAS boxen will be exposed to a remote execution zero day flaw until a patch drops in May unless they kill some external services. The company learned of flaw in its Business Storage 2-bay NAS products on 18 October, 2014. Australian Beyond Binary hacker OJ Reeves alleged the company failed to fix the …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Unhappy

    This on top of the RAM reprogramming zero-day that Google found....

    You'd think that the number of zero-day exploits would be decreasing, given the focus on finding these over the last 10 years. However, I guess that bulletproof IT systems have the same delivery date as universal peace and understanding.

    0 0 Reply
    1. Anonymous Blowhard
      Reply Icon

      Re: This on top of the RAM reprogramming zero-day that Google found....

      "You'd think that the number of zero-day exploits would be decreasing"

      Only if you were an engineer focussed on delivering secure products to your customers.

      Unfortunately the engineers "customers" are corporations who want the lowest cost solution to the problem of slurping their customers data, so more and more "features" rely on hidden communications channels that consumers aren't aware of but criminals (the ones that didn't sell them the flawed product) are happy to exploit.

      4 0 Reply
  2. Metrognome

    "Some customers are concerned about the risk of having their NAS remotely hacked through the internet, ... this is an unlikely scenario."

    Did this gem really come out of the mouths of an entity even remotely involved in IT?

    9 0 Reply
    1. Chris Miller
      Reply Icon

      I've no idea what a 'typical' Seagate NAS customer looks like. It may well be that some of them are home brew systems used for storing torrents of old Star Trek episodes, for which enabling remote UPnP might be sensible. But for any commercial operation to expose their NAS directly to the Internet without disabling unnecessary services and the placement of an intervening DMZ (or at least a firewall) would be a bit, well, daft. That doesn't rule out the possibility of misconfiguration, of course.

      2 1 Reply
      1. Senshi
        Reply Icon

        Yes, it's so unlikely, let's wait months/years to do anything about it. I really hope you're not in IT, because if you are, you aren't part of the solution. You're part of the problem.

        0 1 Reply
        1. Chris Miller
          Reply Icon

          Who said anything about waiting for years (apart from you)? Accessing a reasonably configured system over the Internet is indeed 'unlikely'. In the real world, we have this thing called prioritising - look it up, you might learn something and it may prevent you from becoming 'part of the problem' (when you grow up).

          0 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      You just know that some part of the internet moved some pizza boxes off their keyboard and muttered "challenge accepted"

      3 0 Reply
  3. Gordan

    Upstream Patched Years Ago?

    Having had a cursory look at the CVEs, they were published and patched upstream years ago. It is somewhat surprising that nobody noticed these problems in the Seagate NAS-es long before now.

    0 0 Reply
    1. phil dude
      Reply Icon
      Coat

      Re: Upstream Patched Years Ago?

      no liability for crap security.

      P.

      0 0 Reply
    2. DrGoon
      Reply Icon

      Re: Upstream Patched Years Ago?

      Somebody may well have noticed these problems in the Seagate NASes long ago - it may have been in their interests to say nothing.

      1 0 Reply
  4. Nate Amsden

    get what you pay for

    Want better security? buy something with real support, nobody in their right mind should buy a NAS from a company like Seagate and expect anything great out of it.

    Want better protection buy an enterprise product, they are not perfect of course but at least organizationally they are much better geared to deal with this kind of thing, I have no expectation that Seagate (or any of the 10s to maybe 100 small NAS vendors out there) to have that level of structure. I say that as someone who has worked closely with software development teams for the past 15 years now(not related to storage, more related to SaaS/online transaction type systems)

    1 2 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like