CVE-2022-24989 — CRITICAL (9.8)

Q: How severe is CVE-2022-24989?

CVE-2022-24989 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2022-24989?

Check the references section above for vendor advisories and patch information. Affected products include: Terra-Master Terramaster Operating System, Terra-Master F2-210, Terra-Master F2-221, Terra-Master F2-223, Terra-Master F2-422.

Vulnerability Description

TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Terra-Master	Terramaster Operating System	< 4.2.31
Terra-Master	F2-210	-
Terra-Master	F2-221	-
Terra-Master	F2-223	-
Terra-Master	F2-422	-
Terra-Master	F2-423	-
Terra-Master	F4-421	-
Terra-Master	F4-422	-
Terra-Master	F4-423	-
Terra-Master	F5-221	-
Terra-Master	F5-422	-
Terra-Master	T12-423	-
Terra-Master	T12-450	-
Terra-Master	T6-423	-
Terra-Master	T9-423	-
Terra-Master	T9-450	-
Terra-Master	U12-322-9100	-
Terra-Master	U12-423	-
Terra-Master	U12-722-2224	-
Terra-Master	U16-322-9100	-

Related Weaknesses (CWE)

CWE-74

References

https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990Third Party Advisory
https://forum.terra-master.com/en/viewforum.php?f=28Release Notes
https://github.com/0xf4n9x/CVE-2022-24990Exploit
https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticateExploit
https://packetstormsecurity.com/files/172904ExploitThird Party AdvisoryVDB Entry
https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990Third Party Advisory
https://forum.terra-master.com/en/viewforum.php?f=28Release Notes
https://github.com/0xf4n9x/CVE-2022-24990Exploit
https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticateExploit
https://packetstormsecurity.com/files/172904ExploitThird Party AdvisoryVDB Entry

FAQ

What is CVE-2022-24989?

CVE-2022-24989 is a vulnerability with a CVSS score of 9.8 (CRITICAL). TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid UR...

How severe is CVE-2022-24989?

CVE-2022-24989 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-24989?

Check the references section above for vendor advisories and patch information. Affected products include: Terra-Master Terramaster Operating System, Terra-Master F2-210, Terra-Master F2-221, Terra-Master F2-223, Terra-Master F2-422.