Security News > 2022 > March > Critical Bugs in TerraMaster TOS Could Open NAS Devices to Remote Hacking
Researchers have disclosed details of critical security vulnerabilities in TerraMaster network-attached storage devices that could be chained to attain unauthenticated remote code execution with the highest privileges.
"The issues reside in TOS, an abbreviation for TerraMaster Operating System, and"can grant unauthenticated attackers access to the victim's box simply by knowing the IP address, Ethiopian cyber security research firm Octagon Networks' Paulos Yibelo said in a statement shared with The Hacker News.
Following responsible disclosure, the flaws were patched in TOS version 4.2.30 released last week on March 1, 2022.
One of the issues, tracked as CVE-2022-24990, concerns a case of information leak in a component called "WebNasIPS," resulting in the exposure of TOS firmware version, the default gateway interface's IP and MAC address, and a hash of the administrator password.
The disclosure arrives as TerraMaster NAS devices have also been subjected to Deadbolt ransomware attacks, joining the likes of QNAP and ASUSTOR, with the company noting that it addressed the vulnerabilities that were likely exploited by the threat actors to deploy the ransomware in TOS version 4.2.30.
"Fixed a security vulnerability related to the Deadbolt ransomware attack," the company noted, recommending users to "Re-install the latest version of the TOS system to prevent unencrypted files from continuing to be encrypted."
News URL
https://thehackernews.com/2022/03/critical-bugs-in-terramaster-tos-could.html
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- D-Link won’t fix critical flaw affecting 60,000 older NAS devices (source)
- Critical bug in EoL D-Link NAS devices now exploited in attacks (source)
- QNAP addresses critical flaws across NAS, router software (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-02-07 | CVE-2022-24990 | Missing Authentication for Critical Function vulnerability in Terra-Master Terramaster Operating System TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response. | 7.5 |