CVE-2021-45842 – This vulnerability in Terramaster NAS devices a... (How to Fix)

Q: What is the severity of CVE-2021-45842?

CVE-2021-45842 has a CVSS score of 7.5 (HIGH). This vulnerability in Terramaster NAS devices allows unauthenticated attackers to retrieve sensitive information including the first administrator's password hash, MAC address, and internal IP address via a specific API endpoint. It affects Terramaster F4-210 and F2-210 devices running TOS 4.2.X up to version 4.2.15-2107141517. This information disclosure could facilitate further attacks against the system.

📋 TL;DR

This vulnerability in Terramaster NAS devices allows unauthenticated attackers to retrieve sensitive information including the first administrator's password hash, MAC address, and internal IP address via a specific API endpoint. It affects Terramaster F4-210 and F2-210 devices running TOS 4.2.X up to version 4.2.15-2107141517. This information disclosure could facilitate further attacks against the system.

💻 Affected Systems

Products:

Terramaster F4-210
Terramaster F2-210

Versions: TOS 4.2.X up to and including 4.2.15-2107141517

Operating Systems: Terramaster Operating System (TOS)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the default web interface configuration. Devices must have the vulnerable TOS version installed.

📦 What is this software?

Tos by Terra Master

View all CVEs affecting Tos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain administrator credentials, gain full control of the NAS, access sensitive data, and potentially pivot to other network systems.

🟠

Likely Case

Attackers harvest administrator password hashes for offline cracking, then gain administrative access to the NAS to steal or encrypt data.

🟢

If Mitigated

Limited to information disclosure only if strong unique passwords are used and the NAS is isolated from critical systems.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible without authentication and could be exploited by any internet-facing attacker.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this to escalate privileges and access sensitive NAS data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only a simple HTTP GET request to the vulnerable endpoint. The referenced blog posts demonstrate the attack technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: TOS versions after 4.2.15-2107141517

Vendor Advisory: Not publicly documented in vendor advisory

Restart Required: Yes

Instructions:

1. Log into Terramaster TOS web interface. 2. Navigate to Control Panel > General Settings > Update & Restore. 3. Check for available updates. 4. Install the latest TOS version. 5. Reboot the NAS after update completes.

🔧 Temporary Workarounds

Block API Endpoint

linux

Use web server or firewall rules to block access to the vulnerable /module/api.php endpoint

# Example iptables rule: iptables -A INPUT -p tcp --dport 80 -m string --string "/module/api.php" --algo bm -j DROP
# Example iptables rule: iptables -A INPUT -p tcp --dport 443 -m string --string "/module/api.php" --algo bm -j DROP

Network Segmentation

all

Isolate Terramaster NAS devices from untrusted networks and limit access to trusted IPs only

# Example firewall rule: iptables -A INPUT -p tcp --dport 80,443 -s trusted_ip_range -j ACCEPT
# Example firewall rule: iptables -A INPUT -p tcp --dport 80,443 -j DROP

🧯 If You Can't Patch

Change all administrator passwords to strong, unique passwords that are resistant to hash cracking
Disable web interface access from untrusted networks and implement strict network access controls

🔍 How to Verify

Check if Vulnerable:

Send HTTP GET request to http://[NAS_IP]/module/api.php?mobile/wapNasIPS and check if it returns sensitive information including admin hash

Check Version:

Check TOS version in web interface: Control Panel > General Settings > System Information

Verify Fix Applied:

After patching, the same request should return an error or no sensitive data. Verify TOS version is newer than 4.2.15-2107141517

📡 Detection & Monitoring

Log Indicators:

HTTP GET requests to /module/api.php?mobile/wapNasIPS in web server logs
Unusual authentication attempts following information disclosure

Network Indicators:

HTTP requests to the vulnerable endpoint from unexpected sources
Subsequent authentication attempts using cracked credentials

SIEM Query:

source="web_logs" AND uri="/module/api.php" AND query_string="mobile/wapNasIPS"

📊 Metadata

CVE ID: CVE-2021-45842

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Published: April 25, 2022

Last Updated: November 21, 2024

🔗 References

https://thatsn0tmy.site/posts/2021/12/how-to-summon-rces/ Exploit,Third Party Advisory
https://thatsn0tmy.site/posts/2021/12/how-to-summon-rces/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON