Sign-up

ID

VAR-201512-0524


CVE

CVE-2015-2874


TITLE

Seagate and LaCie wireless storage products contain multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#903500

DESCRIPTION

Seagate GoFlex Satellite, Seagate Wireless Mobile Storage, Seagate Wireless Plus Mobile Storage, and LaCie FUEL devices with firmware before 3.4.1.105 have a default password of root for the root account, which allows remote attackers to obtain administrative access via a TELNET session. Seagate There are multiple vulnerabilities in the wireless storage products offered by. Authentication information ( password ) Is hard-coded (CWE-798) - CVE-2015-2874 Not described in manual telnet Service is up and username "root" , Accessible using the default password. CWE-798: Use of Hard-coded Credentials https://cwe.mitre.org/data/definitions/798.html In addition, National Vulnerability Database (NVD) Then CWE-255 It is published as Send request directly (Forced Browsing) (CWE-425) - CVE-2015-2875 By default, anyone can download files when accessing the device wirelessly. Any file on the file system can be downloaded directly. CWE-425: Direct Request ('Forced Browsing') https://cwe.mitre.org/data/definitions/425.html In addition, National Vulnerability Database (NVD) Then CWE-22 It is published as Unlimited upload of dangerous types of files (CWE-434) - CVE-2015-2876 When accessing the device wirelessly with default settings, /media/sda2 You can upload files to the file system. This file system is prepared for file sharing. CWE-434: Unrestricted Upload of File with Dangerous Type https://cwe.mitre.org/data/definitions/434.htmlA remote attacker can access arbitrary files on the product, root It may be operated with authority. Seagate 36C running firmware versions 2.2.0.005 and 2.3.0.014 are vulnerable. A remote attacker can TELNET A session exploits this vulnerability to gain administrator privileges

Trust: 2.7

sources: NVD: CVE-2015-2874 // CERT/CC: VU#903500 // JVNDB: JVNDB-2015-006526 // BID: 76547 // VULHUB: VHN-80835

AFFECTED PRODUCTS

vendor:seagatemodel:wireless mobile storagescope:eqversion:*

Trust: 1.0

vendor:seagatemodel:goflex sattelitescope:eqversion:*

Trust: 1.0

vendor:seagatemodel:wireless plus mobile storagescope:eqversion:*

Trust: 1.0

vendor:laciemodel:lac9000436uscope:lteversion:2.3.0.014

Trust: 1.0

vendor:laciemodel:lac9000464uscope:lteversion:2.3.0.014

Trust: 1.0

vendor:laciemodel: - scope: - version: -

Trust: 0.8

vendor:seagatemodel: - scope: - version: -

Trust: 0.8

vendor:laciemodel:fuelscope: - version: -

Trust: 0.8

vendor:seagatemodel:goflex satellitescope: - version: -

Trust: 0.8

vendor:seagatemodel:wireless mobile storagescope: - version: -

Trust: 0.8

vendor:seagatemodel:wireless plus mobile storagescope: - version: -

Trust: 0.8

vendor:laciemodel:lac9000464uscope: - version: -

Trust: 0.6

vendor:seagatemodel:technology llc seagate 36cscope:eqversion:2.3.0.014

Trust: 0.3

vendor:seagatemodel:technology llc seagate 36cscope:eqversion:2.2.0.005

Trust: 0.3

vendor:seagatemodel:technology llc seagate 36cscope:neversion:3.4.1.105

Trust: 0.3

sources: CERT/CC: VU#903500 // BID: 76547 // JVNDB: JVNDB-2015-006526 // CNNVD: CNNVD-201509-207 // NVD: CVE-2015-2874

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-2874
value: CRITICAL

Trust: 1.0

IPA: JVNDB-2015-006526
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201509-207
value: CRITICAL

Trust: 0.6

VULHUB: VHN-80835
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2015-2874
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2015-006526
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-80835
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-2874
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-80835 // JVNDB: JVNDB-2015-006526 // CNNVD: CNNVD-201509-207 // NVD: CVE-2015-2874

PROBLEMTYPE DATA

problemtype:CWE-255

Trust: 1.9

problemtype:CWE-Other

Trust: 0.8

problemtype:CWE-22

Trust: 0.8

sources: VULHUB: VHN-80835 // JVNDB: JVNDB-2015-006526 // NVD: CVE-2015-2874

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201509-207

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-201509-207

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-006526

PATCH
title:Firmware Updates for Seagate Productsurl:http://knowledge.seagate.com/articles/en_US/FAQ/207931en
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-006526

EXTERNAL IDS
db:CERT/CCid:VU#903500
Trust: 3.6
db:NVDid:CVE-2015-2874
Trust: 2.8
db:JVNid:JVNVU92833570
Trust: 0.8
db:JVNDBid:JVNDB-2015-006526
Trust: 0.8
db:CNNVDid:CNNVD-201509-207
Trust: 0.7
db:BIDid:76547
Trust: 0.3
db:PACKETSTORMid:134986
Trust: 0.1
db:VULHUBid:VHN-80835
Trust: 0.1
sources:
            
            
            CERT/CC: VU#903500 // 
            
            
            
            VULHUB: VHN-80835 // 
            
            
            
            BID: 76547 // 
            
            
            
            JVNDB: JVNDB-2015-006526 // 
            
            
            
            CNNVD: CNNVD-201509-207 // 
            
            
            
            NVD: CVE-2015-2874

REFERENCES
url:https://www.kb.cert.org/vuls/id/903500
Trust: 2.8
url:https://www.kb.cert.org/vuls/id/gwan-9zgtuh
Trust: 2.5
url:https://www.kb.cert.org/vuls/id/gwan-a26l3f
Trust: 2.5
url:https://apps1.seagate.com/downloads/request.html
Trust: 1.4
url:http://knowledge.seagate.com/articles/en_us/faq/207931en
Trust: 1.4
url:http://cwe.mitre.org/data/definitions/425.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/434.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/798.html
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2874
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2875
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2876
Trust: 0.8
url:http://jvn.jp/vu/jvnvu92833570/index.html
Trust: 0.8
url:https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2874
Trust: 0.8
url:https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2875
Trust: 0.8
url:https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2876
Trust: 0.8
url:http://www.seagate.com/in/en/
Trust: 0.3
sources:
            
            
            CERT/CC: VU#903500 // 
            
            
            
            VULHUB: VHN-80835 // 
            
            
            
            BID: 76547 // 
            
            
            
            JVNDB: JVNDB-2015-006526 // 
            
            
            
            CNNVD: CNNVD-201509-207 // 
            
            
            
            NVD: CVE-2015-2874

CREDITS
Mike Baucom, Allen Harper, and J. Rach of Tangible Security
Trust: 0.3
sources:
            
            
            BID: 76547

SOURCES
db:CERT/CCid:VU#903500
db:VULHUBid:VHN-80835
db:BIDid:76547
db:JVNDBid:JVNDB-2015-006526
db:CNNVDid:CNNVD-201509-207
db:NVDid:CVE-2015-2874

LAST UPDATE DATE
2025-04-13T20:55:01.391000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#903500date:2015-12-08T00:00:00
db:VULHUBid:VHN-80835date:2015-12-31T00:00:00
db:BIDid:76547date:2015-09-01T00:00:00
db:JVNDBid:JVNDB-2015-006526date:2016-01-14T00:00:00
db:CNNVDid:CNNVD-201509-207date:2016-01-04T00:00:00
db:NVDid:CVE-2015-2874date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CERT/CCid:VU#903500date:2015-09-01T00:00:00
db:VULHUBid:VHN-80835date:2015-12-31T00:00:00
db:BIDid:76547date:2015-09-01T00:00:00
db:JVNDBid:JVNDB-2015-006526date:2015-12-28T00:00:00
db:CNNVDid:CNNVD-201509-207date:2015-09-17T00:00:00
db:NVDid:CVE-2015-2874date:2015-12-31T05:59:02.673