CVE-2023-3698
📋 TL;DR
This CVE describes a path traversal vulnerability in ASUSTOR ADM printer service that allows remote unauthenticated attackers to delete files outside intended directories. Affected systems include ASUSTOR ADM versions 4.0.6.RIS1, 4.1.0 and below, and 4.2.2.RI61 and below.
💻 Affected Systems
- ASUSTOR ADM
📦 What is this software?
Data Master by Asustor
Data Master by Asustor
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, potentially leading to data loss, service disruption, or enabling further attacks.
Likely Case
Unauthorized file deletion causing data loss, service disruption, or enabling privilege escalation by deleting security-related files.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external access to printer service.
🎯 Exploit Status
Path traversal vulnerabilities typically have low exploitation complexity, especially with unauthenticated access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to ADM versions above 4.0.6.RIS1, 4.1.0, or 4.2.2.RI61 as specified in advisory
Vendor Advisory: https://www.asustor.com/security/security_advisory_detail?id=28
Restart Required: Yes
Instructions:
1. Log into ADM web interface. 2. Navigate to ADM Update section. 3. Check for available updates. 4. Apply the latest ADM version update. 5. Restart the NAS when prompted.
🔧 Temporary Workarounds
Disable Printer Service
allTemporarily disable the vulnerable printer service until patching is complete
Navigate to ADM Settings > Services > Printer Service > Toggle OFF
Network Access Control
allRestrict network access to printer service port (typically 631 for IPP)
Use firewall rules to block external access to port 631/tcp
🧯 If You Can't Patch
- Isolate affected NAS devices from internet and restrict internal network access
- Implement strict file system permissions and monitoring for unauthorized file deletion attempts
🔍 How to Verify
Check if Vulnerable:
Check ADM version in web interface: Settings > General > ADM VersionCheck Version:
ssh admin@nas-ip 'cat /etc/version' or check via ADM web interfaceVerify Fix Applied:
Verify ADM version is updated beyond affected versions and printer service is functioning normally📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in system logs
- Printer service access from unexpected IP addresses
- Failed file deletion attempts with path traversal patterns
Network Indicators:
- HTTP requests to printer service with ../ patterns in URLs
- Unusual traffic to port 631 from external sources
SIEM Query:
source="nas-logs" AND (event="file_deleted" OR service="printer") AND (uri="*../*" OR path="*../*")