CVE-2018-11509 – This vulnerability in ASUSTOR NAS ADM software ... (How to Fix)

Q: What is the severity of CVE-2018-11509?

CVE-2018-11509 has a CVSS score of 9.8 (CRITICAL). This vulnerability in ASUSTOR NAS ADM software allows attackers to gain administrative access using default credentials (root:admin) for installed applications. Attackers can then upload webshells and execute arbitrary commands. All ASUSTOR NAS devices running ADM 3.1.0.RFQ3 with applications from the online repository are affected.

📋 TL;DR

This vulnerability in ASUSTOR NAS ADM software allows attackers to gain administrative access using default credentials (root:admin) for installed applications. Attackers can then upload webshells and execute arbitrary commands. All ASUSTOR NAS devices running ADM 3.1.0.RFQ3 with applications from the online repository are affected.

💻 Affected Systems

Products:

ASUSTOR NAS devices with ADM software

Versions: ADM 3.1.0.RFQ3

Operating Systems: ASUSTOR ADM (Linux-based NAS OS)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where applications have been installed from the online repository using default credentials.

📦 What is this software?

Asustor Data Master by Asustor

View all CVEs affecting Asustor Data Master →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution, data theft, ransomware deployment, and persistent backdoor installation.

🟠

Likely Case

Unauthorized administrative access leading to data exfiltration, system manipulation, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if default credentials are changed and proper network segmentation is implemented.

🌐 Internet-Facing: HIGH - Directly exploitable over the internet if NAS management interface is exposed.

🏢 Internal Only: HIGH - Exploitable from any internal network segment with access to the NAS management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires knowledge of default credentials but is straightforward once obtained. Multiple public exploit scripts exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ADM 3.1.1 and later

Vendor Advisory: https://www.asustor.com/en-gb/security/security_advisory?product=ADM&id=1

Restart Required: Yes

Instructions:

1. Log into ADM web interface. 2. Navigate to Settings > ADM Update. 3. Check for and install ADM 3.1.1 or later. 4. Restart the NAS when prompted.

🔧 Temporary Workarounds

Change Default Application Credentials

all

Change the default root:admin password for all installed applications

Login to ADM web interface > Access Control > Users > Edit root user > Change password

Disable Unnecessary Applications

all

Remove or disable applications not in use to reduce attack surface

Login to ADM web interface > App Central > Select application > Uninstall

🧯 If You Can't Patch

Immediately change all default credentials, especially for the root/admin accounts
Implement network segmentation to isolate NAS from internet and restrict internal access

🔍 How to Verify

Check if Vulnerable:

Check ADM version in Settings > ADM Update. If version is 3.1.0.RFQ3 and applications are installed, system is vulnerable.

Check Version:

ssh admin@nas-ip 'adm version' or check web interface Settings > ADM Update

Verify Fix Applied:

Verify ADM version is 3.1.1 or later in Settings > ADM Update. Confirm default credentials no longer work for application access.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful root/admin login
Unusual file uploads to web directories
Suspicious command execution in system logs

Network Indicators:

Unexpected outbound connections from NAS
Unusual traffic to NAS management ports (8000, 8001)

SIEM Query:

source="asustor_nas" AND (event_type="authentication" AND user="root" AND result="success") OR (event_type="file_upload" AND path LIKE "%.php" OR path LIKE "%.jsp")

📊 Metadata

CVE ID: CVE-2018-11509

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: August 16, 2018

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/148919/ASUSTOR-NAS-ADM-3.1.0-Remote-Command-Execution-SQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/45200/ Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/148919/ASUSTOR-NAS-ADM-3.1.0-Remote-Command-Execution-SQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/45200/ Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-11509, you might also want to check these: