Description
On December 12, 2020, IHTeam disclosed an unauthenticated remote command execution (RCE) vulnerability, CVE-2020-28188, in TerraMaster’s TOS (the operating system that runs their Network Attached Storage devices). The vulnerability arises from a lack of input validation in the Event parameter in the include/makecvs.php page, which allows attackers to gain control of the system.
According to a CheckPoint research blog, CVE-2020-28188 is being exploited in the wild by malicious actors to create an IRC botnet. This attack campaign has been dubbed “FreakOut.” A public proof-of-concept (PoC) consisting of a single GET request has been available since December 12, 2020.
Affected products
TerraMaster TOS (versions 4.2.06 and prior)
Rapid7 analysis
CVE-2020-28188 is remotely and trivially exploitable and gives an attacker root privileges on the vulnerable target system. The poorly sanitized Event parameter in the makecvs.php page is used directly in the server command line, and the TOS web service runs with root privileges. Since the web service allows running PHP files, attackers have a readily available vector for uploading a PHP shell.
Guidance
TerraMaster customers who have TerraMaster TOS instances that are internet-facing should strongly consider investigating their environments for signs of compromise and suspicious activity. We also urge all defenders to ensure TerraMaster TOS is not exposed to the internet until the appropriate patches have been applied.
References
- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
- https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
