Positive Technologies expert Nikita Abramov found a vulnerability in the ASUSTOR Data Master (ADM) operating system for managing network-attached storage (NAS) devices.1 It allowed an intruder to remotely execute arbitrary code in the operating system of NAS devices.
The vulnerability CVE-2022-37398 (BDU:2022-05028) received a CVSS v3 score of 7.1, which makes it high-risk.
At the time of writing this press release, the IP addresses of approximately 3,700 potentially vulnerable NAS devices could be found online. Most of these devices were located in Taiwan, China, South Korea, Germany, the U.S., France, Russia, Japan, Hong Kong, and Singapore.
"With buffer overflow vulnerabilities, as in this case, an attacker can use the targeted subroutine to write outside the allocated buffer. Sometimes this can lead to a violation of the program logic, a denial of service (DoS), or, in some cases, to the execution of arbitrary code, allowing various scripts to be run on the side of the targeted host," says Nikita Abramov. — "For example, to install malware to intercept data, deploy ransomware, or download confidential data. Such errors very often occur when there is no check on the maximum length of the data received, or when it is processed incorrectly. In this case, the successful execution of code on the targeted device is facilitated by an error related to the header of an incoming request, as well as the lack of necessary protection mechanisms to prevent exploitation of the running application."
Several versions of ADM are affected by the new vulnerability: 3.5.9.RUE3, 4.0.5.RVI1, 4.1.0.RJD1, as well as earlier versions of the software. As a temporary workaround, device administrators can disable the WebDAV protocol. To address the vulnerability, ASUSTOR recommends upgrading vulnerable product versions to the next or higher versions:
- Upgrade ADM 4.1 to version 4.1.0.RKM1.
- Upgrade ADM 4.0 to version 4.0.5.RWM1.
- Upgrade ADM 3.5 to version 3.5.9.RWM1.
Cybercriminal attacks on NAS have been commonplace over the past year. In February 2022, owners of ASUSTOR NAS devices used Reddit and the official ASUSTOR forum to report DeadBolt ransomware attacks. Earlier, in January 2022, according to Positive Technologies’ "Cybersecurity threatscape: Q1 2022" report, QNAP NAS devices were mass-encrypted using Qlocker and DeadBolt ransomware.
- ASUSTOR, a subsidiary of ASUS, one of the world’s leading electronics and computer hardware manufacturers, makes NAS devices.