Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
4

CVE-2020-28188

Disclosure Date: December 24, 2020
Exploited in the Wild
Reported by gwillcox-r7
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.

Add Assessment

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Noted as exploited in the wild by CheckPoint Research at https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/, who noted an exploit for this vulnerability was being used as part of a botnet building operation.

Looking into their writeup, they note that remote unauthenticated attackers can use this vulnerability to take over the TerraMaster TOS operating system via command injection in the event parameter in the /include/makecvs.php page. Interestingly they don’t specify the user the attacker’s injected command will run as, but they do include a very useful screenshot which shows that a GET request to /include/makecve.php?Event=%60, followed by the command the attacker wishes to execute, followed by another %60, will allow for arbitrary command injection. %60 is `, which suggests that the command being executed may have been enclosed in backticks, and that by escaping these backticks, the attacker is able to execute arbitrary commands.

Users can patch this vulnerability by upgrading to version 4.2.06 of Terramaster TOS on their NAS devices. Given the severity of this bug and evidence of exploitation in the wild, it is strongly encouraged to patch this vulnerability as soon as possible.

1
Technical Analysis

Please see the Rapid7 analysis. CVE-2020-28188 is being used in the “FreakOut” attack campaign.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Additional Info

Technical Analysis

Description

On December 12, 2020, IHTeam disclosed an unauthenticated remote command execution (RCE) vulnerability, CVE-2020-28188, in TerraMaster’s TOS (the operating system that runs their Network Attached Storage devices). The vulnerability arises from a lack of input validation in the Event parameter in the include/makecvs.php page, which allows attackers to gain control of the system.

According to a CheckPoint research blog, CVE-2020-28188 is being exploited in the wild by malicious actors to create an IRC botnet. This attack campaign has been dubbed “FreakOut.” A public proof-of-concept (PoC) consisting of a single GET request has been available since December 12, 2020.

Affected products

TerraMaster TOS (versions 4.2.06 and prior)

Rapid7 analysis

CVE-2020-28188 is remotely and trivially exploitable and gives an attacker root privileges on the vulnerable target system. The poorly sanitized Event parameter in the makecvs.php page is used directly in the server command line, and the TOS web service runs with root privileges. Since the web service allows running PHP files, attackers have a readily available vector for uploading a PHP shell.

Guidance

TerraMaster customers who have TerraMaster TOS instances that are internet-facing should strongly consider investigating their environments for signs of compromise and suspicious activity. We also urge all defenders to ensure TerraMaster TOS is not exposed to the internet until the appropriate patches have been applied.

References