Two critical vulnerabilities were detected by researchers investigating the NAS system of the devices WD My Book, NetGear Stora, SeaGate Home and NAS Medion LifeCloud. NAS are widely used storage devices in small and medium businesses that enable a computer network to access files without slowing down the system.
The vulnerabilities CVE-2018–18472 and CVE-2018–18471 are remote command execution, allowing access privileges without the need for passwords, and only the IP address of the NAS device is required to perform the attack. The first flaw hits the operating system Axentra Hipserv, which has the function of managing login and storage of files in the cloud, affecting the brands NetGear, SeaGate and Life Cloud. The second flaw is present in WD and some LifeCloud models and affects language switching functionality by modifying the REST API which is a protocol with set of principles that allow the creation of interfaces. In both cases, you can read and modify existing files, users, and data, or explore activities with larger privileges.
There are still no fixes for the flaws. Users are advised not to use their devices on the Long Distance Network and use VPN to traffic information without risk of attack.
Article originally published in the Tempest Soundbites app, available to Tempest customers on Android and iOS versions. To get a credential, talk to your relationship manager.