CVE-2021-30127 – TerraMaster F2-210 NAS devices expose their adm... (How to Fix)

Q: What is the severity of CVE-2021-30127?

CVE-2021-30127 has a CVSS score of 7.3 (HIGH). TerraMaster F2-210 NAS devices expose their admin web interface to the internet via UPnP, contrary to documentation stating it's only available locally. This allows remote attackers to potentially access the administrative interface without authentication. All TerraMaster F2-210 users with default UPnP settings are affected.

📋 TL;DR

TerraMaster F2-210 NAS devices expose their admin web interface to the internet via UPnP, contrary to documentation stating it's only available locally. This allows remote attackers to potentially access the administrative interface without authentication. All TerraMaster F2-210 users with default UPnP settings are affected.

💻 Affected Systems

Products:

TerraMaster F2-210

Versions: All versions through 2021-04-03

Operating Systems: TerraMaster TOS

Default Config Vulnerable: ⚠️ Yes

Notes: Devices with UPnP enabled and connected to internet-facing routers are vulnerable. The vulnerability stems from UPnP automatically opening port 8181 to the internet.

📦 What is this software?

F2 210 Firmware by Terra Master

View all CVEs affecting F2 210 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attackers gain administrative access to the NAS, potentially compromising all stored data, installing malware, or using the device as an attack vector into the local network.

🟠

Likely Case

Unauthorized remote access to the admin interface, allowing configuration changes, data access, or service disruption.

🟢

If Mitigated

Limited to local network attacks only, requiring attacker presence on the internal network.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only network access to port 8181. No authentication bypass needed as the interface is directly exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Refer to workarounds section for mitigation steps.

🔧 Temporary Workarounds

Disable UPnP via configuration file

linux

Manually edit the UPnP configuration file to prevent automatic port forwarding

ssh into device
edit /etc/upnp.json to disable UPnP functionality

Router-level UPnP blocking

all

Disable UPnP on your internet router to prevent automatic port forwarding

🧯 If You Can't Patch

Disconnect device from internet or place behind firewall blocking port 8181
Change default admin credentials and implement strong authentication

🔍 How to Verify

Check if Vulnerable:

Check if port 8181 is open to the internet using tools like nmap or online port scanners from outside your network

Check Version:

Check device firmware version in admin interface or via ssh command

Verify Fix Applied:

Verify port 8181 is no longer accessible from the internet after applying workarounds

📡 Detection & Monitoring

Log Indicators:

Unusual login attempts on port 8181
Configuration changes from external IPs

Network Indicators:

External connections to internal port 8181
UPnP requests opening port 8181

SIEM Query:

source_ip IN external_ips AND dest_port=8181 AND protocol=TCP

📊 Metadata

CVE ID: CVE-2021-30127

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Published: April 3, 2021

Last Updated: November 21, 2024

🔗 References

https://kn100.me/terramaster-nas-exposing-itself-over-upnp/ Exploit,Third Party Advisory
https://news.ycombinator.com/item?id=26681984 Issue Tracking,Third Party Advisory
https://kn100.me/terramaster-nas-exposing-itself-over-upnp/ Exploit,Third Party Advisory
https://news.ycombinator.com/item?id=26681984 Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON