Vulnerability Details : CVE-2022-24990
Public exploit exists!
Used for ransomware!
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
CVE-2022-24990 is in the CISA Known Exploited Vulnerabilities Catalog
This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
TerraMaster OS Remote Command Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint.
Notes:
https://forum.terra-master.com/en/viewtopic.php?t=3030; https://nvd.nist.gov/vuln/detail/CVE-2022-24990
Added on
2023-02-10
Action due date
2023-03-03
Exploit prediction scoring system (EPSS) score for CVE-2022-24990
93.96%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2022-24990
-
TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989
Disclosure Date: 2022-03-07First seen: 2023-09-11exploit/linux/http/terramaster_unauth_rce_cve_2022_24990This module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS 4.2.29 and lower by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information" and CVE-2022-24989, "Authenticated remote code execution".
CVSS scores for CVE-2022-24990
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
References for CVE-2022-24990
-
https://github.com/0xf4n9x/CVE-2022-24990
GitHub - 0xf4n9x/CVE-2022-24990: CVE-2022-24990 TerraMaster TOS unauthenticated RCE via PHP Object InstantiationExploit;Third Party Advisory
-
https://forum.terra-master.com/en/viewforum.php?f=28
TOS Update Notice - TerraMaster Official ForumIssue Tracking;Release Notes
-
https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732
Attack: TerraMaster TOS RCE CVE-2022-24990Third Party Advisory
-
https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/
CVE-2022-24990: TerraMaster TOS unauthenticated remote command execution via PHP Object Instantiation – Blog | Octagon NetworksExploit;Third Party Advisory
-
http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.html
TerraMaster TOS 4.2.29 Remote Code Execution ≈ Packet Storm
Products affected by CVE-2022-24990
- cpe:2.3:o:terra-master:terramaster_operating_system:*:*:*:*:*:*:*:*