External risk intelligence

TerraMaster OS Password Disclosure Vulnerability.

CVE advisoryKnown Exploit

CVE-2022-24990

TerraMaster NAS devices are affected by a vulnerability that allows attackers to discover administrative passwords. This exposure could lead to unauthorized access and control of the device and its data. The risk includes potential data breaches, system compromise, and disruption of services. The vulnerability is activ

4Halo Surface Signal

Missing Authentication

Terra Master Terramaster Operating System

before 4.2.31

External exposure likelihood

Halo Surface Signal score for CVE-2022-24990

The vulnerability exists in a Network Attached Storage (NAS) device management interface. NAS devices are frequently deployed as internet-facing appliances or gateways to facilitate remote file access, making their web-based administrative interfaces and management services commonly reachable from the internet.

Horizon Alert

Summary of the vulnerability and why it matters

TerraMaster NAS devices running version 4.2.29 and earlier contain a flaw that permits unauthorized access to sensitive information. Attackers can exploit this vulnerability to potentially uncover administrative passwords. This could expose the affected systems to further compromise.

Vulnerable: TerraMaster NAS devices
Flaw: Password exposure
Impact: Unauthorized access risk

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker to discover administrative credentials for a TerraMaster Network Attached Storage (NAS) device. The attacker can send a specific request to the device's API, which then reveals the administrative password in the response. This could provide an attacker with unauthorized access to the NAS system and its data.

Exposure condition: Device is internet-facing.
Attacker starting point: Unauthenticated remote attacker.
Trigger and result: Send request, read password, gain access.

Live Threat

Current exploitation, exposure, and threat context

TerraMaster NAS devices running version 4.2.29 and earlier are susceptible to a vulnerability that allows for the discovery of administrative passwords. This information can then be used to gain unauthorized access to the device and its data. The vulnerability has been identified and added to the CISA's Known Exploited Vulnerabilities catalog, indicating a real-world threat.

Likely attacker skill level: Low
Required access or conditions: Network access
Business risk or urgency: High, actively exploited

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows attackers to discover administrative passwords on TerraMaster Network Attached Storage (NAS) devices. This exposure could lead to unauthorized access and control of the device and its data, posing a significant risk to organizational security and operations. The business impact includes potential data breaches, system compromise, and disruption of services reliant on the affected NAS devices.

Identify all exposed TerraMaster NAS devices.
Restrict network access to affected devices.
Apply vendor updates and monitor system logs.

Frequently asked questions

What is TerraMaster NAS and what is it used for?

TerraMaster NAS (Network Attached Storage) devices are used for storing and sharing files across a network. They function like a private cloud, allowing users to access their data remotely and manage storage.

How does CVE-2022-24990 expose administrative passwords?

CVE-2022-24990 is a weakness classified as CWE-306, representing 'Authentication Checks Omitted or Performed Incorrectly'. It allows an attacker to send a specific request to the device's API and then read the administrative password from the response without proper authentication.

What are the preconditions for an attacker to trigger this vulnerability?

An attacker needs unauthenticated remote access to the TerraMaster NAS device's API. The vulnerability is triggered by sending a specific request, with 'User-Agent: TNAS', to the module/api.php?mobile/webNasIPS endpoint.

Who should be concerned about this vulnerability based on Halo Surface Signal?

Organizations should be concerned if their TerraMaster NAS devices are accessible from the internet. Halo Surface Signal indicates that this type of vulnerability is likely to be externally exposed because NAS devices are often internet-facing for remote access.

What is the first step for someone running this technology?

The first step is to identify all TerraMaster NAS devices within your network that are running version 4.2.29 or earlier. Then, apply any available updates provided by TerraMaster to address the vulnerability.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.