Multiple vulnerabilities in TerraMaster TOS



Published: 2020-12-24 | Updated: 2023-06-10
Risk High
Patch available NO
Number of vulnerabilities 7
CVE-ID CVE-2020-28188
CVE-2020-29189
CVE-2020-28190
CVE-2020-28187
CVE-2020-28186
CVE-2020-28185
CVE-2020-28184
CWE-ID CWE-78
CWE-284
CWE-300
CWE-22
CWE-640
CWE-200
CWE-79
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #6 is available.
Public exploit code for vulnerability #7 is available.
Vulnerable software
Subscribe
TOS
Client/Desktop applications / Other client software

Vendor TerraMaster

Security Bulletin

This security bulletin contains information about 7 vulnerabilities.

1) OS Command Injection

EUVDB-ID: #VU49688

Risk: High

CVSSv3.1: 9.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C]

CVE-ID: CVE-2020-28188

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the "Event" parameter in "/include/makecvs.php". A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

TOS: 4.2.06

External links

http://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
http://www.terra-master.com/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Improper access control

EUVDB-ID: #VU49695

Risk: High

CVSSv3.1: 7.4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-29189

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote authenticated attacker can bypass read-only restriction and obtain full access to any folder within the NAS.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

TOS: 4.2.06

External links

http://terramaster.com
http://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Man-in-the-Middle (MitM) attack

EUVDB-ID: #VU49694

Risk: Medium

CVSSv3.1: 6.8 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-28190

CWE-ID: CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a man-in-the-middle (MitM) attack.

The vulnerability exists due to the affected software update and applications are checked and delivered via un-encrypted communication channel (HTTP). A remote attacker can perform perform a man-in-the-middle attack and update the target software.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

TOS: 4.2.06

External links

http://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
http://www.terra-master.com/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Path traversal

EUVDB-ID: #VU49693

Risk: Medium

CVSSv3.1: 5.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-28187

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within several parameters. A remote authenticated attacker can send a specially crafted HTTP request and read, edit or delete any file within the filesystem.

This vulnerability affects the following parameters:

  • "filename" in /tos/index.php?editor/fileGet
  • "Event" in /include/ajax/logtable.php,
  • "opt" in /include/core/index.php

Mitigation

Install updates from vendor's website.

Vulnerable software versions

TOS: 4.2.06

External links

http://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
http://www.terra-master.com/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Weak Password Recovery Mechanism for Forgotten Password

EUVDB-ID: #VU49692

Risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-28186

CWE-ID: CWE-640 - Weak password recovery mechanism

Exploit availability: No

Description

The vulnerability allows a remote attacker to takeover the account.

The vulnerability exists due to the email injection in the forget password functionality. A remote attacker can achieve account takeover.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

TOS: 4.2.06

External links

http://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
http://www.terra-master.com/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Information disclosure

EUVDB-ID: #VU49691

Risk: Medium

CVSSv3.1: 5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:C]

CVE-ID: CVE-2020-28185

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to email injection in the "username" parameter in "wizard/initialise.php". A remote attacker can identify valid users within the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

TOS: 4.2.06

External links

http://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
http://www.terra-master.com/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

7) Cross-site scripting

EUVDB-ID: #VU49690

Risk: Low

CVSSv3.1: 5.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:U/RC:C]

CVE-ID: CVE-2020-28184

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "mod" parameter in "/module/index.php". A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

TOS: 4.2.06

External links

http://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
http://www.terra-master.com/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###