CVE-2022-24989
Severity CVSS v4.0:
Pending analysis
Type:
CWE-74
Injection
Publication date:
20/08/2023
Last modified:
24/08/2023
Description
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:terra-master:terramaster_operating_system:*:*:*:*:*:*:*:* | 4.2.31 (excluding) | |
| cpe:2.3:h:terra-master:f2-210:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:terra-master:f2-221:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:terra-master:f2-223:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:terra-master:f2-422:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:terra-master:f2-423:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:terra-master:f4-421:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:terra-master:f4-422:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:terra-master:f4-423:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:terra-master:f5-221:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:terra-master:f5-422:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:terra-master:t12-423:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:terra-master:t12-450:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:terra-master:t6-423:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:terra-master:t9-423:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990
- https://forum.terra-master.com/en/viewforum.php?f=28
- https://github.com/0xf4n9x/CVE-2022-24990
- https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation
- https://packetstormsecurity.com/files/172904