Remote, unauthenticated attackers to access arbitrary files on the hard drive and gain root access to the device can exploit the flaws, reported by researchers at Tangible Security. They affect Seagate Wireless Mobile Storage, Seagate Wireless Plus Mobile Storage, and LaCie FUEL. These are products designed for personal use.
The security flaws have been confirmed to exist in versions 2.2.0.005 and 2.3.0.014 of the firmware, however other versions may be affected, too. CERT said in an advisory that with the release of version 18.104.22.168 of the firmware, Seagate patched the vulnerabilities.
An expert in the analysis of Seagate hard drives, Allen Harper of Tangible Security, confirmed that the updates released by Seagate patch the vulnerabilities.
Three vulnerabilities were labeled in Seagate's wireless hard drives, according to CERT's advisory. One flaw (CVE-2015-2874) involves the use of hardcoded credentials that can be used to access undocumented Telnet services. Another is a direct request issue (CVE-2015-2875) that can allow anonymous hackers with wireless access to the storage unit to download files from anywhere on the file system. The last bug (CVE-2015-2876) can be exploited by attackers to wirelessly upload potentially malicious file to the device's /media/sda2 filesystem, reserved for file sharing.
"Affected users are encouraged to update the firmware as soon as possible. Customers may download the firmware from Seagate's website," Seagate said.