CVE April Vulnerabilities

TOS system configuration
Post Reply
User avatar
seajayshome
Posts: 18
Joined: 12 Feb 2022, 00:38

CVE April Vulnerabilities

Post by seajayshome » 09 May 2022, 19:17

Can I just check if the current "April" vulnerabilities disclosed on the CVE register are all fixed in the latest 4.2.32 TOS release?

CVE-2021-45842
It is possible to obtain the first administrator's hash set up in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) on the system as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/wapNasIPS endpoint.
Published: April 25, 2022; 7:15:07 AM -0400 V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM

CVE-2021-45841
In Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517), an attacker can self-sign session cookies by knowing the target's MAC address and the user's password hash. Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker to login as guest.
Published: April 25, 2022; 7:15:07 AM -0400 V3.1: 8.1 HIGH
V2.0: 6.8 MEDIUM

CVE-2021-45840
It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending specifically crafted input to /tos/index.php?app/app_start_stop.
Published: April 25, 2022; 7:15:07 AM -0400 V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH

CVE-2021-45839
It is possible to obtain the first administrator's hash set up on the system in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/webNasIPS endpoint.
Published: April 25, 2022; 7:15:07 AM -0400 V3.1: 6.5 MEDIUM
V2.0: 4.0 MEDIUM

CVE-2021-45837
It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to /tos/index.php?app/del.
Published: April 25, 2022; 7:15:07 AM -0400 V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH

CVE-2021-45836
An authenticated attacker can execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by injecting a maliciously crafted input in the request through /tos/index.php?app/hand_app.
Published: April 25, 2022; 7:15:07 AM -0400 V3.1: 8.8 HIGH
V2.0: 9.0 HIGH

CVE-2021-30127
TerraMaster F2-210 devices through 2021-04-03 use UPnP to make the admin web server accessible over the Internet on TCP port 8181, which is arguably inconsistent with the "It is only available on the local network" documentation. NOTE: manually editing /etc/upnp.json provides a partial but undocumented workaround.
Published: April 03, 2021; 2:15:11 PM -0400

https://nvd.nist.gov/vuln/search/result ... arch=false

Post Reply