CVE-2022-24990: TerraMaster OS Remote Command Execution Vulnerability
First published: Tue Feb 07 2023(Updated: )
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Terra-master Terramaster Operating System | <4.2.31 | |
| Terra-master F2-210 | ||
| Terra-master F2-221 | ||
| Terra-master F2-223 | ||
| Terra-master F2-422 | ||
| Terra-master F2-423 | ||
| Terra-master F4-421 | ||
| Terra-master F4-422 | ||
| Terra-master F4-423 | ||
| Terra-master F5-221 | ||
| Terra-master F5-422 | ||
| Terra-master T12-423 | ||
| Terra-master T12-450 | ||
| Terra-master T6-423 | ||
| Terra-master T9-423 | ||
| Terra-master T9-450 | ||
| Terra-master U12-322-9100 | ||
| Terra-master U12-423 | ||
| Terra-master U12-722-2224 | ||
| Terra-master U16-322-9100 | ||
| Terra-master U16-722-2224 | ||
| Terra-master U24-722-2224 | ||
| Terra-master U4-111 | ||
| Terra-master U4-211 | ||
| Terra-master U4-423 | ||
| Terra-master U8-111 | ||
| Terra-master U8-322-9100 | ||
| Terra-master U8-423 | ||
| Terra-master U8-522-9400 | ||
| Terra-master U8-722-2224 | ||
| All of | ||
| Terra-master Terramaster Operating System | <4.2.31 | |
| Any of | ||
| Terra-master F2-210 | ||
| Terra-master F2-221 | ||
| Terra-master F2-223 | ||
| Terra-master F2-422 | ||
| Terra-master F2-423 | ||
| Terra-master F4-421 | ||
| Terra-master F4-422 | ||
| Terra-master F4-423 | ||
| Terra-master F5-221 | ||
| Terra-master F5-422 | ||
| Terra-master T12-423 | ||
| Terra-master T12-450 | ||
| Terra-master T6-423 | ||
| Terra-master T9-423 | ||
| Terra-master T9-450 | ||
| Terra-master U12-322-9100 | ||
| Terra-master U12-423 | ||
| Terra-master U12-722-2224 | ||
| Terra-master U16-322-9100 | ||
| Terra-master U16-722-2224 | ||
| Terra-master U24-722-2224 | ||
| Terra-master U4-111 | ||
| Terra-master U4-211 | ||
| Terra-master U4-423 | ||
| Terra-master U8-111 | ||
| Terra-master U8-322-9100 | ||
| Terra-master U8-423 | ||
| Terra-master U8-522-9400 | ||
| Terra-master U8-722-2224 | ||
| TerraMaster TerraMaster OS | ||
| All of | ||
| <4.2.31 | ||
| Any of | ||
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.html
- https://forum.terra-master.com/en/viewforum.php?f=28
- https://github.com/0xf4n9x/CVE-2022-24990
- https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/
- https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732
- https://forum.terra-master.com/en/viewtopic.php?t=3030;
- https://nvd.nist.gov/vuln/detail/CVE-2022-24990
- collector/nvd-index
- agent/type
- agent/description
- agent/severity
- agent/title
- agent/weakness
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/author
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- exploited/true
- ransomware/true
- collector/cisa-known-exploited
- source/CISA
- agent/references
- agent/tags
- collector/nvd-cve
- vendor/terra-master
- canonical/terra-master terramaster operating system
- canonical/terra-master f2-210
- canonical/terra-master f2-221
- canonical/terra-master f2-223
- canonical/terra-master f2-422
- canonical/terra-master f2-423
- canonical/terra-master f4-421
- canonical/terra-master f4-422
- canonical/terra-master f4-423
- canonical/terra-master f5-221
- canonical/terra-master f5-422
- canonical/terra-master t12-423
- canonical/terra-master t12-450
- canonical/terra-master t6-423
- canonical/terra-master t9-423
- canonical/terra-master t9-450
- canonical/terra-master u12-322-9100
- canonical/terra-master u12-423
- canonical/terra-master u12-722-2224
- canonical/terra-master u16-322-9100
- canonical/terra-master u16-722-2224
- canonical/terra-master u24-722-2224
- canonical/terra-master u4-111
- canonical/terra-master u4-211
- canonical/terra-master u4-423
- canonical/terra-master u8-111
- canonical/terra-master u8-322-9100
- canonical/terra-master u8-423
- canonical/terra-master u8-522-9400
- canonical/terra-master u8-722-2224
- vendor/terramaster
- canonical/terramaster terramaster os