Asustor has reported five vulnerabilities in the NAS operating system Asustor Data Master (ADM), which the manufacturer closes with an updated version. The manufacturer classifies the gaps as high-risk. Anyone using Asustor NAS should therefore download and install the updates quickly.
Asustor: NAS devices can be attacked from the network
Unregistered attackers from the network can inject arbitrary commands due to insufficient filtering of the data transferred. Asustor does not want to explain how this works in the security notification, but instead mentions “unspecified attack vectors” (CVE-2023-2910, CVSS 8.8, risk “high”). The vulnerability is a hair’s breadth from being classified as “critical”.
Another vulnerability allows local users to change the configuration without authorization (CVE-2023-3699, CVSS 8.7, high). In the printer service, unauthenticated users from the network can navigate beyond the intended directory structures and create (CVE-2023-3697, CVSS 8.5, high) and delete (CVE-2023-3698, CVSS 8.5, high) files. In addition, malicious actors can abuse the file rename feature to move files to unintended directories (CVE-2023-4475, CVSS 7.5, high).
All security-related errors mentioned are corrected by the Asustor Data Master (ADM) update to version 4.2.3 RK91 or newer; ADM versions of the 4.0, 4.1 and 4.2 branches are affected. Asustor users should install the update quickly so as not to become victims of potential attacks.
To do this, administrators can activate Live Update, which notifies them of available updates when they log in, or set up automatic, scheduled updates that check for and install updates within the specified period. A manual update is possible with an ADM image that can be downloaded from the Asustor support website after specifying the device used.
In the past, vulnerabilities in Asustor firmware were attacked by the Deadbolt ransomware, among others.
Go to home page
#ASUSTOR #Vulnerabilities #NAS #operating #system #takeover