Sign-up

ID

VAR-201512-0525


CVE

CVE-2015-2875


TITLE

Seagate and LaCie wireless storage products contain multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#903500

DESCRIPTION

Absolute path traversal vulnerability on Seagate GoFlex Satellite, Seagate Wireless Mobile Storage, Seagate Wireless Plus Mobile Storage, and LaCie FUEL devices with firmware before 3.4.1.105 allows remote attackers to read arbitrary files via a full pathname in a download request during a Wi-Fi session. Seagate There are multiple vulnerabilities in the wireless storage products offered by. Authentication information ( password ) Is hard-coded (CWE-798) - CVE-2015-2874 Not described in manual telnet Service is up and username "root" , Accessible using the default password. CWE-798: Use of Hard-coded Credentials https://cwe.mitre.org/data/definitions/798.html In addition, National Vulnerability Database (NVD) Then CWE-255 It is published as Send request directly (Forced Browsing) (CWE-425) - CVE-2015-2875 By default, anyone can download files when accessing the device wirelessly. Any file on the file system can be downloaded directly. CWE-425: Direct Request ('Forced Browsing') https://cwe.mitre.org/data/definitions/425.html In addition, National Vulnerability Database (NVD) Then CWE-22 It is published as Unlimited upload of dangerous types of files (CWE-434) - CVE-2015-2876 When accessing the device wirelessly with default settings, /media/sda2 You can upload files to the file system. This file system is prepared for file sharing. CWE-434: Unrestricted Upload of File with Dangerous Type https://cwe.mitre.org/data/definitions/434.htmlA remote attacker can access arbitrary files on the product, root It may be operated with authority. Seagate 36C running firmware versions 2.2.0.005 and 2.3.0.014 are vulnerable

Trust: 2.7

sources: NVD: CVE-2015-2875 // CERT/CC: VU#903500 // JVNDB: JVNDB-2015-006526 // BID: 76547 // VULHUB: VHN-80836

IOT TAXONOMY

category:['home & office device']sub_category:storage device

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:seagatemodel:wireless mobile storagescope:eqversion:*

Trust: 1.0

vendor:seagatemodel:goflex sattelitescope:eqversion:*

Trust: 1.0

vendor:seagatemodel:wireless plus mobile storagescope:eqversion:*

Trust: 1.0

vendor:laciemodel:lac9000436uscope:lteversion:2.3.0.014

Trust: 1.0

vendor:laciemodel:lac9000464uscope:lteversion:2.3.0.014

Trust: 1.0

vendor:laciemodel: - scope: - version: -

Trust: 0.8

vendor:seagatemodel: - scope: - version: -

Trust: 0.8

vendor:laciemodel:fuelscope: - version: -

Trust: 0.8

vendor:seagatemodel:goflex satellitescope: - version: -

Trust: 0.8

vendor:seagatemodel:wireless mobile storagescope: - version: -

Trust: 0.8

vendor:seagatemodel:wireless plus mobile storagescope: - version: -

Trust: 0.8

vendor:laciemodel:lac9000464uscope: - version: -

Trust: 0.6

vendor:laciemodel:lac9000436uscope: - version: -

Trust: 0.6

vendor:seagatemodel:technology llc seagate 36cscope:eqversion:2.3.0.014

Trust: 0.3

vendor:seagatemodel:technology llc seagate 36cscope:eqversion:2.2.0.005

Trust: 0.3

vendor:seagatemodel:technology llc seagate 36cscope:neversion:3.4.1.105

Trust: 0.3

sources: CERT/CC: VU#903500 // BID: 76547 // JVNDB: JVNDB-2015-006526 // CNNVD: CNNVD-201509-208 // NVD: CVE-2015-2875

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-2875
value: HIGH

Trust: 1.0

IPA: JVNDB-2015-006526
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201509-208
value: HIGH

Trust: 0.6

VULHUB: VHN-80836
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2015-2875
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2015-006526
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-80836
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-2875
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-80836 // JVNDB: JVNDB-2015-006526 // CNNVD: CNNVD-201509-208 // NVD: CVE-2015-2875

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.9

problemtype:CWE-Other

Trust: 0.8

problemtype:CWE-255

Trust: 0.8

sources: VULHUB: VHN-80836 // JVNDB: JVNDB-2015-006526 // NVD: CVE-2015-2875

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201509-208

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201509-208

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-006526

PATCH
title:Firmware Updates for Seagate Productsurl:http://knowledge.seagate.com/articles/en_US/FAQ/207931en
Trust: 0.8
title:Multiple Seagate Fixes for wireless storage product path traversal vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=57745
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2015-006526 // 
            
            
            
            CNNVD: CNNVD-201509-208

EXTERNAL IDS
db:CERT/CCid:VU#903500
Trust: 3.6
db:NVDid:CVE-2015-2875
Trust: 2.9
db:JVNid:JVNVU92833570
Trust: 0.8
db:JVNDBid:JVNDB-2015-006526
Trust: 0.8
db:CNNVDid:CNNVD-201509-208
Trust: 0.7
db:BIDid:76547
Trust: 0.3
db:OTHERid:NONE
Trust: 0.1
db:VULHUBid:VHN-80836
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            CERT/CC: VU#903500 // 
            
            
            
            VULHUB: VHN-80836 // 
            
            
            
            BID: 76547 // 
            
            
            
            JVNDB: JVNDB-2015-006526 // 
            
            
            
            CNNVD: CNNVD-201509-208 // 
            
            
            
            NVD: CVE-2015-2875

REFERENCES
url:https://www.kb.cert.org/vuls/id/903500
Trust: 2.8
url:https://www.kb.cert.org/vuls/id/gwan-9zgtuh
Trust: 2.5
url:https://www.kb.cert.org/vuls/id/gwan-a26l3f
Trust: 1.9
url:https://apps1.seagate.com/downloads/request.html
Trust: 1.4
url:http://knowledge.seagate.com/articles/en_us/faq/207931en
Trust: 1.4
url:http://cwe.mitre.org/data/definitions/425.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/434.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/798.html
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2874
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2875
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2876
Trust: 0.8
url:http://jvn.jp/vu/jvnvu92833570/index.html
Trust: 0.8
url:https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2874
Trust: 0.8
url:https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2875
Trust: 0.8
url:https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2876
Trust: 0.8
url:http://www.seagate.com/in/en/
Trust: 0.3
url:https://ieeexplore.ieee.org/abstract/document/10769424
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            CERT/CC: VU#903500 // 
            
            
            
            VULHUB: VHN-80836 // 
            
            
            
            BID: 76547 // 
            
            
            
            JVNDB: JVNDB-2015-006526 // 
            
            
            
            CNNVD: CNNVD-201509-208 // 
            
            
            
            NVD: CVE-2015-2875

CREDITS
Mike Baucom, Allen Harper, and J. Rach of Tangible Security
Trust: 0.3
sources:
            
            
            BID: 76547

SOURCES
db:OTHERid: - 
db:CERT/CCid:VU#903500
db:VULHUBid:VHN-80836
db:BIDid:76547
db:JVNDBid:JVNDB-2015-006526
db:CNNVDid:CNNVD-201509-208
db:NVDid:CVE-2015-2875

LAST UPDATE DATE
2025-04-13T19:46:32.152000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#903500date:2015-12-08T00:00:00
db:VULHUBid:VHN-80836date:2015-12-31T00:00:00
db:BIDid:76547date:2015-09-01T00:00:00
db:JVNDBid:JVNDB-2015-006526date:2016-01-14T00:00:00
db:CNNVDid:CNNVD-201509-208date:2016-01-04T00:00:00
db:NVDid:CVE-2015-2875date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CERT/CCid:VU#903500date:2015-09-01T00:00:00
db:VULHUBid:VHN-80836date:2015-12-31T00:00:00
db:BIDid:76547date:2015-09-01T00:00:00
db:JVNDBid:JVNDB-2015-006526date:2015-12-28T00:00:00
db:CNNVDid:CNNVD-201509-208date:2015-09-17T00:00:00
db:NVDid:CVE-2015-2875date:2015-12-31T05:59:03.720