Login Sign Up

CVE-2019-18195

8.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows normal users on TerraMaster FS-210 devices to elevate their privileges to administrator level by accessing the 1.user.php endpoint. It affects TerraMaster FS-210 network-attached storage devices running vulnerable firmware versions. Any user with a standard account on these devices can potentially gain full administrative control.

💻 Affected Systems

Products:
  • TerraMaster FS-210
Versions: 4.0.19 and likely earlier versions
Operating Systems: TerraMaster TOS (Terramaster Operating System)
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the web interface component that handles user management. All default configurations with user accounts are vulnerable.

📦 What is this software?

F2 210 Firmware by Terra Master

View all CVEs affecting F2 210 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with normal user access gains full administrative control over the NAS device, allowing them to access all data, modify configurations, install malware, or use the device as a pivot point into the network.

🟠

Likely Case

Malicious insiders or compromised user accounts gain administrative privileges, leading to data theft, system configuration changes, or disruption of NAS services.

🟢

If Mitigated

With proper network segmentation and access controls, the impact is limited to the NAS device itself, preventing lateral movement to other systems.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires a valid user account but is trivial to execute. Public proof-of-concept code demonstrates simple HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.0 or later

Vendor Advisory: https://www.terra-master.com/

Restart Required: Yes

Instructions:

1. Log into TerraMaster admin interface. 2. Navigate to Control Panel > System > Update. 3. Check for available updates. 4. Install firmware version 4.1.0 or later. 5. Reboot the device after installation.

🔧 Temporary Workarounds

Disable web interface access

all

Restrict access to the TerraMaster web interface to trusted IP addresses only

Configure firewall rules to block port 8181 (default web interface port) from untrusted networks

Remove unnecessary user accounts

all

Reduce attack surface by removing all non-essential user accounts

Log into admin interface > Control Panel > User > Delete unnecessary accounts

🧯 If You Can't Patch

  • Isolate the TerraMaster device on a separate VLAN with strict access controls
  • Implement network monitoring for suspicious privilege escalation attempts to the 1.user.php endpoint

🔍 How to Verify

Check if Vulnerable:

Check if the device responds to HTTP POST requests to /module/api.php?mobile/webNasIPS with specific parameters that trigger privilege escalation

Check Version:

Check web interface login page or System Information page in admin panel

Verify Fix Applied:

Verify firmware version is 4.1.0 or later and test that the privilege escalation attempt no longer works

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /module/api.php?mobile/webNasIPS with privilege escalation parameters
  • Unusual user privilege changes in system logs

Network Indicators:

  • HTTP traffic to TerraMaster device on port 8181 containing 1.user.php references
  • Multiple failed privilege escalation attempts

SIEM Query:

source="terra-master" AND (uri_path="/module/api.php" AND uri_query="mobile/webNasIPS")

📊 Metadata

CVE ID: CVE-2019-18195
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: October 28, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON