Asustor: Four Security Advisories Concerning ADM NAS OS
Issues fixed on ADM V.4.2.3.RK91.
This is a Press Release edited by StorageNewsletter.com on August 29, 2023 at 2:01 pmAsustor, Inc. had published 4 security advisories on vulnerabilities found in Asustor Data Master (ADM) NAS OS.
Security advisory AS-2023-012: ADM
Severity : Important
Status : Ongoing
Statement
An Arbitrary File Movement vulnerability was found in ADM allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
-
The issue has been fixed on ADM 4.2.3.RK91.
Affected products
Product |
Severity |
Fixed release availability |
---|---|---|
ADM 4.2 and 4.1 |
Important |
Upgrade to ADM 4.2.3.RK91 or above |
ADM 4.0 |
Important |
Ongoing |
Detail
-
-
Severity: High
-
CVSS3 Base Score: 7.5
-
CVSS3 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
-
An Arbitrary File Movement vulnerability was found in Asustor Data Master (ADM) allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
-
Acknowledgement
Stéphane Chauveau (stephane@chauveau-central.net)
Revision
Revision |
Date |
Description |
---|---|---|
1 |
2023-08-23 |
Initial public release |
2 |
2023-08-23 |
CVE ID (CVE-2023-4475) is assigned for the issue. |
Security advisory AS-2023-011: ADM
Severity : Important
Status : Ongoing
Statement
An Improper Privilege Management vulnerability was found in Asustor Data Master (ADM) allows an unprivileged local users to modify the storage devices configuration. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
-
The issue has been fixed on ADM 4.2.3.RK91.
Affected products
Product |
Severity |
Fixed release availability |
---|---|---|
ADM 4.2 and 4.1 |
Important |
Upgrade to ADM 4.2.3.RK91 or above |
ADM 4.0 |
Important |
Ongoing |
Detail
-
-
Severity: High
-
CVSS3 Base Score: 8.7
-
CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
-
An Improper Privilege Management vulnerability was found in ADM allows an unprivileged local users to modify the storage devices configuration. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
-
Acknowledgement
Stéphane Chauveau (stephane@chauveau-central.net)
Revision
Revision |
Date |
Description |
---|---|---|
1 |
2023-08-23 |
Initial public release |
2 |
2023-08-23 |
CVE ID (CVE-2023-3699) is assigned for the issue |
Security advisory AS-2023-010: ADM
Severity : Important
Status : Ongoing
Statement
A Directory traversal vulnerability was found in Asustor Data Master (ADM) allows an remote unauthorized users to navigate beyond the intended directory structure. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
-
The issue has been fixed on ADM 4.2.3.RK91.
Affected products
Product |
Severity |
Fixed release availability |
---|---|---|
ADM 4.2 and 4.1 |
Important |
Upgrade to ADM 4.2.3.RK91 or above |
ADM 4.0 |
Important |
Ongoing |
Detail
-
-
Severity: High
-
CVSS3 Base Score: 8.5
-
CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
-
Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and create files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
-
-
-
Severity: High
-
CVSS3 Base Score: 8.5
-
CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
-
Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
-
Acknowledgement
atdog (@atdog_tw) and Lays (@_L4ys) of TRAPA Security
Revision
Revision |
Date |
Description |
---|---|---|
1 |
2023-08-23 |
Initial public release |
2 |
2023-08-23 |
CVE ID CVE-2023-3697 and CVE-2023-3698 are assigned for the issues. |
Security advisory AS-2023-009: ADM
Severity : Important
Status : Ongoing
Statement
A Command Injection vulnerability was found in ADM allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
-
The issue has been fixed on ADM 4.2.3.RK91.
Affected products
Product |
Severity |
Fixed release availability |
---|---|---|
ADM 4.2 and 4.1 |
Important |
Upgrade to ADM 4.2.3.RK91 or above |
ADM 4.0 |
Important |
Ongoing |
Detail
-
-
Severity: High
-
CVSS3 Base Score: 8.8
-
CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
-
Improper neutralization of special elements used in a command (‘Command Injection’) vulnerability in Asustor Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
-
Acknowledgement
atdog (@atdog_tw) and Lays (@_L4ys) of TRAPA Security
Revision
Revision |
Date |
Description |
---|---|---|
1 |
2023-08-23 |
Initial public release |
2 |
2023-08-23 |
CVE ID (CVE-2023-2910) is assigned for the issue. |