Improper access control in TOS

#VU49695 Improper access control in TOS

Published: 2020-12-24 | Updated: 2021-01-19

Vulnerability identifier: #VU49695

Vulnerability risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-29189

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
TOS
Client/Desktop applications / Other client software

Vendor: TerraMaster

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote authenticated attacker can bypass read-only restriction and obtain full access to any folder within the NAS.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

TOS: 4.2.06

External links
http://terramaster.com
http://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in TerraMaster TOS