Can I just check if the current "April" vulnerabilities disclosed on the CVE register are all fixed in the latest 4.2.32 TOS release?
CVE-2021-45842
It is possible to obtain the first administrator's hash set up in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) on the system as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/wapNasIPS endpoint.
Published: April 25, 2022; 7:15:07 AM -0400 V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2021-45841
In Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517), an attacker can self-sign session cookies by knowing the target's MAC address and the user's password hash. Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker to login as guest.
Published: April 25, 2022; 7:15:07 AM -0400 V3.1: 8.1 HIGH
V2.0: 6.8 MEDIUM
CVE-2021-45840
It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending specifically crafted input to /tos/index.php?app/app_start_stop.
Published: April 25, 2022; 7:15:07 AM -0400 V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH
CVE-2021-45839
It is possible to obtain the first administrator's hash set up on the system in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/webNasIPS endpoint.
Published: April 25, 2022; 7:15:07 AM -0400 V3.1: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2021-45837
It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to /tos/index.php?app/del.
Published: April 25, 2022; 7:15:07 AM -0400 V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH
CVE-2021-45836
An authenticated attacker can execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by injecting a maliciously crafted input in the request through /tos/index.php?app/hand_app.
Published: April 25, 2022; 7:15:07 AM -0400 V3.1: 8.8 HIGH
V2.0: 9.0 HIGH
CVE-2021-30127
TerraMaster F2-210 devices through 2021-04-03 use UPnP to make the admin web server accessible over the Internet on TCP port 8181, which is arguably inconsistent with the "It is only available on the local network" documentation. NOTE: manually editing /etc/upnp.json provides a partial but undocumented workaround.
Published: April 03, 2021; 2:15:11 PM -0400
https://nvd.nist.gov/vuln/search/result ... arch=false
CVE April Vulnerabilities
Topics related to system security only
- seajayshome
- Posts: 20
- Joined: 12 Feb 2022, 00:38
Jump to
- GENERAL
- ↳ News & Announcements
- ↳ Know More About TOS 5
- ↳ Know More About TOS 6
- ↳ Lounges
- TNAS SERIES (TerraMaster NAS)
- ↳ FAQ & User Guides
- ↳ Initialization & installation
- ↳ System Configuration
- ↳ File Service
- ↳ Networking
- ↳ Storage
- ↳ Backup & restore
- ↳ Hardware
- ↳ Applications
- ↳ TOS Issues Report & Experiences Share
- ↳ Hardware, Power and Accessories
- ↳ Initialization
- ↳ System Update
- ↳ System Configuration
- ↳ Network & Remote Access
- ↳ File Services & Transfer
- ↳ Storage
- ↳ Backup and Restore
- ↳ Compatibility
- ↳ DLNA/Multimedia Services
- ↳ System Resources
- ↳ Security
- ↳ Update Notice
- ↳ Applications & Clients
- ↳ TNAS PC, Mobile and TV Clients
- ↳ Terra Photos
- ↳ TerraSync
- ↳ Centralized Backup
- ↳ Duple Backup
- ↳ Snapshot
- ↳ iSCSI Target
- ↳ USB Copy
- ↳ Surveillance Manager
- ↳ CloudSync
- ↳ Docker Manager
- ↳ VPN Server
- ↳ Plex/Emby Media Server
- ↳ Download
- ↳ VirtualBox
- ↳ Web Server/PHP/MySQL/MariaDB
- ↳ Multimedia Server
- ↳ Terra Search
- ↳ Others
- ↳ New Features Wanted
- ↳ Developer Discussion Room
- TDAS SERIES (TerraMaster DAS)
- ↳ FAQ & User Guides
- ↳ Thunderbolt 3 Series
- ↳ USB Series
- ↳ Thunderbolt 3 Series
- ↳ USB Series