Multiple vulnerabilities in TerraMaster TOS
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2020-28188 CVE-2020-29189 CVE-2020-28190 CVE-2020-28187 CVE-2020-28186 CVE-2020-28185 CVE-2020-28184 |
| CWE-ID | CWE-78 CWE-284 CWE-300 CWE-22 CWE-640 CWE-200 CWE-79 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #7 is available. |
| Vulnerable software |
TOS Client/Desktop applications / Other client software |
| Vendor | TerraMaster |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) OS Command Injection
EUVDB-ID: #VU49688
Risk: High
CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2020-28188
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the "Event" parameter in "/include/makecvs.php". A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTOS: 4.2.06
CPE2.3 External linkshttps://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
https://www.terra-master.com/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Improper access control
EUVDB-ID: #VU49695
Risk: High
CVSSv4.0: 6.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-29189
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote authenticated attacker can bypass read-only restriction and obtain full access to any folder within the NAS.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTOS: 4.2.06
CPE2.3 External linkshttps://terramaster.com
https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Man-in-the-Middle (MitM) attack
EUVDB-ID: #VU49694
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-28190
CWE-ID:
CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a man-in-the-middle (MitM) attack.
The vulnerability exists due to the affected software update and applications are checked and delivered via un-encrypted communication channel (HTTP). A remote attacker can perform perform a man-in-the-middle attack and update the target software.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTOS: 4.2.06
CPE2.3 External linkshttps://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
https://www.terra-master.com/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Path traversal
EUVDB-ID: #VU49693
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-28187
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within several parameters. A remote authenticated attacker can send a specially crafted HTTP request and read, edit or delete any file within the filesystem.
This vulnerability affects the following parameters:
- "filename" in /tos/index.php?editor/fileGet
- "Event" in /include/ajax/logtable.php,
- "opt" in /include/core/index.php
Mitigation
Install updates from vendor's website.
Vulnerable software versionsTOS: 4.2.06
CPE2.3 External linkshttps://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
https://www.terra-master.com/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Weak Password Recovery Mechanism for Forgotten Password
EUVDB-ID: #VU49692
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-28186
CWE-ID:
CWE-640 - Weak password recovery mechanism
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to takeover the account.
The vulnerability exists due to the email injection in the forget password functionality. A remote attacker can achieve account takeover.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTOS: 4.2.06
CPE2.3 External linkshttps://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
https://www.terra-master.com/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Information disclosure
EUVDB-ID: #VU49691
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2020-28185
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to email injection in the "username" parameter in "wizard/initialise.php". A remote attacker can identify valid users within the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTOS: 4.2.06
CPE2.3 External linkshttps://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
https://www.terra-master.com/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Cross-site scripting
EUVDB-ID: #VU49690
Risk: Low
CVSSv4.0: 0.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear]
CVE-ID: CVE-2020-28184
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "mod" parameter in "/module/index.php". A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsTOS: 4.2.06
CPE2.3 External linkshttps://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
https://www.terra-master.com/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
