Researchers have revealed information of severe security flaws in TerraMaster Network-Attached Storage (TNAS) devices that may be used to get unauthenticated remote code execution with the highest privileges if chained together. According to Ethiopian cyber security research firm Octagon Networks’ Paulos Yibelo, the flaws are in the TerraMaster Operating System (TOS). They can enable unauthenticated attackers access to the victim device by knowing the IP address only.
TNAS appliances use TOS as their operating system, which allows users to manage storage, install programs, and backup data. The weaknesses were corrected in TOS version 4.2.30, which was published last week on March 1, 2022, after responsible disclosure.
One of the vulnerabilities, identified as CVE-2022-24990, involves a data leak in a component called “webNasIPS,” exposing the TOS firmware version, the default gateway interface’s IP and MAC addresses, and a hash of the administrator password. On the other hand, the second flaw is a command injection flaw in a PHP module called “createRaid” (CVE-2022-24989), which can be used to submit a specially crafted command to gain remote code execution.
“All in all, this was a very interesting project,” Yibelo stated. “We have used multiple components of an information leak, along with another information leak of the machine’s time, and chained it with an authenticated OS command injection to achieve unauthenticated remote code execution as root.”
The news comes as TerraMaster NAS systems have been targeted by Deadbolt ransomware, joining the likes of QNAP and ASUSTOR. The firm claims that TOS version 4.2.30 fixed the vulnerabilities that the threat actors most likely used to spread the ransomware. It’s unclear whether the same set of vulnerabilities discovered by Octagon Networks was used in the Deadbolt attacks.
The company noted that it had fixed a security vulnerability related to the Deadbolt ransomware attack. Users should re-install the latest version of the TOS system (4.2.30 or later) to prevent unencrypted files from being encrypted again.
