CVE-2014-3206
published 2018-02-23CVE-2014-3206: Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob.php or the auth_name…
PriorityP186critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
52.89%
98.8th percentile
Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob.php or the auth_name parameter to localhost/backupmgmt/pre_connect_check.php.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to /backupmgt/localJob.php with a 'session' parameter containing shell metacharacters (e.g., semicolons) indicating command injection attempts. ↗
- →Monitor HTTP GET requests to /backupmgt/pre_connect_check.php with an 'auth_name' parameter containing shell metacharacters (e.g., semicolons) indicating command injection attempts. ↗
- →GreyNoise tags IPs exploiting this CVE as 'Seagate BlackArmor RCE Attempt' with Malicious intention; cross-reference inbound traffic to BlackArmor NAS devices against GreyNoise threat feeds. ↗
- →The exploit uses a max of 2 HTTP requests targeting both vulnerable endpoints; detection logic should alert on either path being accessed with injection characters in query parameters. ↗
- ·The NVD entry lists the second vulnerable path as 'localhost/backupmgmt/pre_connect_check.php' (with a 't' at the end of 'backupmgmt'), while the Nuclei template uses '/backupmgt/pre_connect_check.php' (without the 't'). Detections should cover both path variants. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fqq6-5w3p-gwc5: Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob
ghsa_unreviewed·2022-05-14
CVE-2014-3206 [CRITICAL] CWE-20 GHSA-fqq6-5w3p-gwc5: Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob
Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob.php or the auth_name parameter to localhost/backupmgmt/pre_connect_check.php.
VulnCheck
seagate blackarmor_nas_220_firmware Improper Input Validation
vulncheck·2014·CVSS 9.8
CVE-2014-3206 [CRITICAL] seagate blackarmor_nas_220_firmware Improper Input Validation
seagate blackarmor_nas_220_firmware Improper Input Validation
Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob.php or the auth_name parameter to localhost/backupmgmt/pre_connect_check.php.
Affected: seagate blackarmor_nas_220_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://twitter.com/ESETresearch/status/1440052837820428298?s=20; https://www.radware.com/getmedia/d312a5fa-2d8d-4c1e-b31e-73046f24bf35/Alert-Dark-OMIGOD.aspx; https://cujo.com/blog/iot-botnet-report-2021-malware-and-vulnerabilities-targeted/; https://cujo.com/blog/the-2022-2023-iot-botnet-report-
No detection rules found.
Nuclei
Seagate BlackArmor NAS - Command Injection
nuclei·CVSS 9.8
CVE-2014-3206 [CRITICAL] Seagate BlackArmor NAS - Command Injection
Seagate BlackArmor NAS - Command Injection
Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob.php or the auth_name parameter to localhost/backupmgmt/pre_connect_check.php.
Template:
id: CVE-2014-3206
info:
name: Seagate BlackArmor NAS - Command Injection
author: gy741
severity: critical
description: Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob.php or the auth_name parameter to localhost/backupmgmt/pre_connect_check.php.
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands with the privileges of the affected device, potentially leading to unauthorized access, data loss, or
2018-02-23
Published
Exploited in the wild