Security News > 2022 > March > Critical Bugs in TerraMaster TOS Could Open NAS Devices to Remote Hacking

Researchers have disclosed details of critical security vulnerabilities in TerraMaster network-attached storage devices that could be chained to attain unauthenticated remote code execution with the highest privileges.

"The issues reside in TOS, an abbreviation for TerraMaster Operating System, and"can grant unauthenticated attackers access to the victim's box simply by knowing the IP address, Ethiopian cyber security research firm Octagon Networks' Paulos Yibelo said in a statement shared with The Hacker News.

Following responsible disclosure, the flaws were patched in TOS version 4.2.30 released last week on March 1, 2022.

One of the issues, tracked as CVE-2022-24990, concerns a case of information leak in a component called "WebNasIPS," resulting in the exposure of TOS firmware version, the default gateway interface's IP and MAC address, and a hash of the administrator password.

The disclosure arrives as TerraMaster NAS devices have also been subjected to Deadbolt ransomware attacks, joining the likes of QNAP and ASUSTOR, with the company noting that it addressed the vulnerabilities that were likely exploited by the threat actors to deploy the ransomware in TOS version 4.2.30.

"Fixed a security vulnerability related to the Deadbolt ransomware attack," the company noted, recommending users to "Re-install the latest version of the TOS system to prevent unencrypted files from continuing to be encrypted."

News URL

https://thehackernews.com/2022/03/critical-bugs-in-terramaster-tos-could.html