CVE-2021-45840
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary commands with root privileges on Terramaster NAS devices by sending specially crafted input to a specific PHP endpoint. It affects Terramaster F4-210 and F2-210 models running TOS 4.2.X versions. Successful exploitation gives complete control over the affected device.
💻 Affected Systems
- Terramaster F4-210
- Terramaster F2-210
📦 What is this software?
Tos by Terra Master
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the NAS device with root access, allowing data theft, ransomware deployment, lateral movement to other systems, and persistent backdoor installation.
Likely Case
Remote code execution leading to data exfiltration, cryptomining, or joining botnets, given the high CVSS score and unauthenticated nature.
If Mitigated
Limited impact if device is isolated behind strict network controls with no internet exposure, though still vulnerable to internal threats.
🎯 Exploit Status
Detailed exploit analysis is publicly available in the referenced blog posts, showing straightforward exploitation via HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: TOS versions after 4.2.15-2107141517
Vendor Advisory: Not specified in provided references
Restart Required: Yes
Instructions:
1. Log into Terramaster TOS web interface. 2. Navigate to Control Panel > General Settings > Update & Restore. 3. Check for and apply the latest TOS update. 4. Reboot the device after update completes.
🔧 Temporary Workarounds
Block access to vulnerable endpoint
linuxUse firewall rules to block access to /tos/index.php?app/app_start_stop endpoint
iptables -A INPUT -p tcp --dport 80 -m string --string "/tos/index.php?app/app_start_stop" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/tos/index.php?app/app_start_stop" --algo bm -j DROP
Disable web interface if not needed
linuxTurn off the TOS web management interface to prevent exploitation
/etc/init.d/lighttpd stop
systemctl disable lighttpd
🧯 If You Can't Patch
- Isolate device on separate VLAN with strict network access controls
- Implement WAF rules to block requests containing command injection patterns
🔍 How to Verify
Check if Vulnerable:
Check TOS version in web interface: Control Panel > General Settings > About. If version is 4.2.X and build number is 2107141517 or earlier, device is vulnerable.Check Version:
cat /etc/version or check via TOS web interfaceVerify Fix Applied:
Verify TOS version is updated beyond 4.2.15-2107141517. Test by attempting to access the vulnerable endpoint with safe payloads.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /tos/index.php?app/app_start_stop with unusual parameters
- System logs showing unexpected root command execution
- Web server logs with command injection patterns
Network Indicators:
- HTTP POST/GET requests to vulnerable endpoint with shell metacharacters
- Outbound connections from NAS to unknown IPs post-exploitation
SIEM Query:
source="web_access.log" AND uri="/tos/index.php?app/app_start_stop" AND (param="cmd" OR param="command" OR param="exec")