cbcvebase.
CVE-2021-45837
published 2022-04-25

CVE-2021-45837: It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
15.91%
96.5th percentile
It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to /tos/index.php?app/del.

Affected

1 ranges
VendorProductVersion rangeFixed in
terra-mastertos

Detection & IOCsextracted from sources · hover to see the quote

url/tos/index.php?app/del
url/module/api.php?mobile/webNasIPS
  • Monitor HTTP requests targeting `/tos/index.php?app/del` with crafted POST/GET parameters, which is the RCE trigger endpoint for CVE-2021-45837.
  • Detect reconnaissance/hash-harvesting requests to `/module/api.php?mobile/webNasIPS`, which is used in the exploit chain (CVE-2021-45839) to obtain the administrator password hash and MAC address prior to RCE.
  • Alert on self-signed/forged session cookies constructed from a known MAC address and user password hash, indicative of CVE-2021-45841 session crafting used as a prerequisite step in this exploit chain.
  • Flag unauthenticated login attempts using a null/empty password hash, which can be used to abuse the guest account as part of this exploit chain.
  • ·The guest account is disabled by default on TerraMaster TOS; if enabled, it can be abused with a null/empty hash to gain unauthenticated access as a stepping stone in the exploit chain.
  • ·Affected versions are TerraMaster TOS 4.2.15 and below (specifically confirmed on F4-210, F2-210 running TOS 4.2.X / 4.2.15-2107141517). Ensure patching covers all devices on these firmware lines.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.