Researchers have disclosed details of critical security vulnerabilities in TerraMaster network-attached storage (TNAS) devices that could be chained to attain unauthenticated remote code execution with the highest privileges.
The issues reside in TOS, an abbreviation for TerraMaster Operating System, and "can grant unauthenticated attackers access to the victim's box simply by knowing the IP address," Ethiopian cyber security research firm Octagon Networks' Paulos Yibelo said in a statement shared with The Hacker News.
TOS is the operating system designed for TNAS appliances, enabling users to manage storage, install applications, and backup data. Following responsible disclosure, the flaws were patched in TOS version 4.2.30 released last week on March 1, 2022.
One of the issues, tracked as CVE-2022-24990, concerns a case of information leak in a component called "webNasIPS," resulting in the exposure of TOS firmware version, the default gateway interface's IP and MAC address, and a hash of the administrator password.
The second shortcoming, on the other hand, relates to a command injection flaw in a PHP module called "createRaid" (CVE-2022-24989), resulting in a scenario where the two issues can be stringed together to submit a specially-crafted command to achieve remote code execution.
"All in all, this was a very interesting project," Yibelo said. "We have used multiple components of an information leak, along with another information leak of the machine's time, and chained it with an authenticated OS command injection to achieve unauthenticated remote code execution as root.
The disclosure arrives as TerraMaster NAS devices have also been subjected to Deadbolt ransomware attacks, joining the likes of QNAP and ASUSTOR, with the company noting that it addressed the vulnerabilities that were likely exploited by the threat actors to deploy the ransomware in TOS version 4.2.30.
It's not immediately clear if the same set of vulnerabilities discovered by Octagon Networks were weaponized for Deadbolt infections. We have reached out to TerraMaster for further comment, and we will update the story if we hear back.
"Fixed a security vulnerability related to the Deadbolt ransomware attack," the company noted, recommending users to "re-install the latest version of the TOS system (4.2.30 or later) to prevent unencrypted files from continuing to be encrypted."