Very High
CVE-2022-24990
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2022-24990
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending “User-Agent: TNAS” to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
Add Assessment
Ratings
Technical Analysis
A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
This is the third exploit a.k.a. TerrorMaster 3
targeting TerraMaster NAS devices running TerraMaster Operating System (TOS) 4.2.29
or lower.
Octagon Networks published in March 2022 an analysis CVE-2022-24990: TerraMaster TOS unauthenticated remote command execution via PHP Object Instantiation explaining a chain of vulnerabilities that makes all TerraMaster NAS servers running TOS version 4.2.29
and lower vulnerable for an unauthenticated RCE.
It basically combines CVE-2022-24990: Leaking sensitive information and CVE-2022-24989: Authenticated remote code execution to achieve an unauthenticated RCE by exploiting vulnerable endpoint api.php?mobile/webNasIPS
leaking sensitive information such as admin password hash and mac address to achieve unauthenticated access and use the vulnerable endpointapi.php?mobile/createRaid
with POST
parameters raidtype
/ diskstring
to execute remote code as root on TerraMaster NAS devices.
As usual, you can find the third module here in my local repository or as PR 18086 submitted at the Metasploit Github development.
With release of TOS 5.x
, all of these vulnerabilities are now mitigated, but I would not be surprised that in the near future, some new exploits will come to surface looking back at the ugly history of TerraMaster flaws in the past.
Mitigation
Please update your TOS version
up to the latest supported TOS 4.2.x
version or TOS 5.x
version to be protected against all known vulnerabilities and do NOT to expose your TerraMaster NAS devices directly to the Internet.
References
CVE-2022-24990: TerraMaster TOS unauthenticated remote command execution via PHP Object Instantiation
POC 0xf4n9x
CVE-2022-24990
CVE-2022-24989
TerrorMaster 3 – h00die-gr3y Metasploit local repository
TerrorMaster 3 – Metasploit PR 18086
TerrorMaster 1
TerrorMaster 2
Credits
Octagon Networks
0xf4n9x
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportThis is a quality and nice blog post that you have composed here. Are you in search of the right blog on how to apply for Nonprofit Grants, and the article that best explains and gives more guides on how you can go through it. Then you are in the right place for that. All you need to do is to visit my blog for contents related to this topic.
https://www.makeoverarena.com/how-to-apply-for-nonprofit-grants
CVSS V3 Severity and Metrics
General Information
Vendors
- terra-master
Products
- terramaster operating system
Exploited in the Wild
- Government or Industry Alert (https://us-cert.cisa.gov/ncas/alerts/aa23-040a)
- Threat Feed (https://cybersecurityworks.com/blog/cyber-risk/csws-threat-intelligence-february-6-2022-february-10-2022.html)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report- Vendor Advisory (https://forum.terra-master.com/en/viewtopic.php?t=3030)
- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
Miscellaneous
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: