Critical Bugs in TerraMaster TOS remotely hack NAS devices

Researchers have revealed details about critical security vulnerabilities in TerraMaster network storage (TNAS), which can be exploited sequentially for remote code execution without authentication with the highest privileges.

The problems are related to TOS, an abbreviation of TerraMaster Operating System, and “they can provide unauthorized attackers with access to the victim’s device simply by knowing the IP address“,” said Paulos Ibelo, the head of a cybersecurity company from Ethiopia.

TOS is an operating system developed for TNAS devices and allows users to manage storage, install applications and perform data backups. After responsible disclosure, the vulnerabilities were fixed in TOS version 4.2.30, released on March 1, 2022.

The first vulnerability, CVE-2022-24990, is associated with a leak of information in a component called “webNasIPS”, as a result of which a remote unauthorized user can find out the firmware version of the TOS, the default IP and MAC addresses of the gateway, as well as the hash password of the administrator.

The second vulnerability is related to the lack of implementation of commands in a PHP module called “createRaid” (CVE-2022-24989). By combining the two vulnerabilities, an attacker can send a specially created command for remote code execution.

TerraMaster NAS was also attacked by Deadbolt ransomware, which had previously hacked QNAP and ASUSTOR network storage. “The vulnerability related to the attack of the Deadbolt ransomware has been fixed,” the company noted, recommending that users “reinstall the latest version of the TOS system (4.2.30 or later), thereby preventing further encryption of unencrypted files.”