Very High
CVE-2020-28188
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-28188
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Noted as exploited in the wild by CheckPoint Research at https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/, who noted an exploit for this vulnerability was being used as part of a botnet building operation.
Looking into their writeup, they note that remote unauthenticated attackers can use this vulnerability to take over the TerraMaster TOS operating system via command injection in the event
parameter in the /include/makecvs.php
page. Interestingly they don’t specify the user the attacker’s injected command will run as, but they do include a very useful screenshot which shows that a GET request to /include/makecve.php?Event=%60
, followed by the command the attacker wishes to execute, followed by another %60
, will allow for arbitrary command injection. %60 is `, which suggests that the command being executed may have been enclosed in backticks, and that by escaping these backticks, the attacker is able to execute arbitrary commands.
Users can patch this vulnerability by upgrading to version 4.2.06 of Terramaster TOS on their NAS devices. Given the severity of this bug and evidence of exploitation in the wild, it is strongly encouraged to patch this vulnerability as soon as possible.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportTechnical Analysis
Please see the Rapid7 analysis. CVE-2020-28188 is being used in the “FreakOut” attack campaign.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- terra-master
Products
- tos
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Miscellaneous
Additional Info
Technical Analysis
Description
On December 12, 2020, IHTeam disclosed an unauthenticated remote command execution (RCE) vulnerability, CVE-2020-28188, in TerraMaster’s TOS (the operating system that runs their Network Attached Storage devices). The vulnerability arises from a lack of input validation in the Event
parameter in the include/makecvs.php
page, which allows attackers to gain control of the system.
According to a CheckPoint research blog, CVE-2020-28188 is being exploited in the wild by malicious actors to create an IRC botnet. This attack campaign has been dubbed “FreakOut.” A public proof-of-concept (PoC) consisting of a single GET
request has been available since December 12, 2020.
Affected products
TerraMaster TOS (versions 4.2.06 and prior)
Rapid7 analysis
CVE-2020-28188 is remotely and trivially exploitable and gives an attacker root privileges on the vulnerable target system. The poorly sanitized Event
parameter in the makecvs.php
page is used directly in the server command line, and the TOS web service runs with root privileges. Since the web service allows running PHP files, attackers have a readily available vector for uploading a PHP shell.
Guidance
TerraMaster customers who have TerraMaster TOS instances that are internet-facing should strongly consider investigating their environments for signs of compromise and suspicious activity. We also urge all defenders to ensure TerraMaster TOS is not exposed to the internet until the appropriate patches have been applied.
References
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: