CVE-2021-45837
published 2022-04-25CVE-2021-45837: It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
15.91%
96.5th percentile
It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to /tos/index.php?app/del.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| terra-master | tos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests targeting `/tos/index.php?app/del` with crafted POST/GET parameters, which is the RCE trigger endpoint for CVE-2021-45837. ↗
- →Detect reconnaissance/hash-harvesting requests to `/module/api.php?mobile/webNasIPS`, which is used in the exploit chain (CVE-2021-45839) to obtain the administrator password hash and MAC address prior to RCE. ↗
- →Alert on self-signed/forged session cookies constructed from a known MAC address and user password hash, indicative of CVE-2021-45841 session crafting used as a prerequisite step in this exploit chain. ↗
- →Flag unauthenticated login attempts using a null/empty password hash, which can be used to abuse the guest account as part of this exploit chain. ↗
- ·The guest account is disabled by default on TerraMaster TOS; if enabled, it can be abused with a null/empty hash to gain unauthenticated access as a stepping stone in the exploit chain. ↗
- ·Affected versions are TerraMaster TOS 4.2.15 and below (specifically confirmed on F4-210, F2-210 running TOS 4.2.X / 4.2.15-2107141517). Ensure patching covers all devices on these firmware lines. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-46j4-7889-xgxc: It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4
ghsa_unreviewed·2022-04-26
CVE-2021-45837 [CRITICAL] GHSA-46j4-7889-xgxc: It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4
It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to /tos/index.php?app/del.
VulnCheck
Terramaster index.php app/del Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-45837 [CRITICAL] Terramaster index.php app/del Vulnerability
Terramaster index.php app/del Vulnerability
It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to /tos/index.php?app/del.
Affected: TerraMaster tos
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/2024-07/aa24-207a-dprk-cyber-group-conducts-global-espionage-campaign.pdf
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/172881/TerraMaster-TOS-4.2.15-Remote-Code-Execution.htmlhttps://thatsn0tmy.site/posts/2021/12/how-to-summon-rces/http://packetstormsecurity.com/files/172881/TerraMaster-TOS-4.2.15-Remote-Code-Execution.htmlhttps://thatsn0tmy.site/posts/2021/12/how-to-summon-rces/
2022-04-25
Published
Exploited in the wild