Asustor Five Security Advisories for Resolved Vulnerabilities
Concerning OpenSSH, ADM 4.2 and ADM 4.0 NAS OSs, arbitrary file movement vulnerability, improper privilege management vulnerability, directory traversal vulnerability, and command Injection vulnerability found in Asustor Data Master
This is a Press Release edited by StorageNewsletter.com on December 5, 2023 at 2:01 pmAsustor, Inc. had published 5 security advisories for resolved vulnerabilities.
2023-11-29
Severity : Important
Status : Resolved
Statement
OpenSSH versions prior to 9.3p2 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data.
CVE-2023-38408 affected company’s products with ADM 4.2 and ADM 4.0 NAS OSs. Updates with OpenSSH 9.5p1 will be released as soon as possible.
-
OpenSSH 9.5p1 has been updated on ADM 4.2.5.RN33 and ADM 4.0.6.RNS1 to resolve the issue.
Affected products
Product |
Severity |
Fixed release availability |
---|---|---|
ADM 4.2 and 4.1 |
Important |
Upgrade to ADM 4.2.5.RN33 or above |
ADM 4.0 |
Important |
Upgrade to ADM 4.0.6.RNS1 or above |
Detail
-
-
Severity: Critical
-
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
-
Reference
Revision
Revision |
Date |
Description |
---|---|---|
1 |
2023-10-25 |
Initial public release |
2 |
2023-11-06 |
Release ADM 4.2.5.RN33 to update OpenSSH version for fixing the issue |
3 |
2023-11-29 |
Release ADM 4.0.6.RNS1 to update OpenSSH version for fixing the issue |
2023-11-29
Severity : Important
Status : Resolved
Statement
An Arbitrary File Movement vulnerability was found in Asustor Data Master (ADM) allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
-
The issue has been fixed on ADM 4.2.3.RK91 and ADM 4.0.6.RNS1.
Affected products
Product |
Severity |
Fixed release availability |
---|---|---|
ADM 4.2 and 4.1 |
Important |
Upgrade to ADM 4.2.3.RK91 or above |
ADM 4.0 |
Important |
Upgrade to ADM 4.0.6.RNS1 or above |
Detail
-
-
Severity: High
-
CVSS3 Base Score: 7.5
-
CVSS3 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
-
An Arbitrary File Movement vulnerability was found in Asustor Data Master (ADM) allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
-
Acknowledgement
Stéphane Chauveau (stephane@chauveau-central.net)
Revision
Revision |
Date |
Description |
---|---|---|
1 |
2023-08-23 |
Initial public release |
2 |
2023-08-23 |
CVE ID (CVE-2023-4475) is assigned for the issue |
3 |
2023-08-23 |
ADM 4.2.3.RK91 has been released for fixing the issue |
4 |
2023-11-29 |
ADM 4.0.6.RNS1 has been released for fixing the issue |
2023-11-29
Severity : Important
Status : Resolved
Statement
An Improper Privilege Management vulnerability was found in Asustor Data Master (ADM) allows an unprivileged local users to modify the storage devices configuration. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
-
The issue has been fixed on ADM 4.2.3.RK91 and ADM 4.0.6.RNS1.
Affected products
Product |
Severity |
Fixed release availability |
---|---|---|
ADM 4.2 and 4.1 |
Important |
Upgrade to ADM 4.2.3.RK91 or above |
ADM 4.0 |
Important |
Upgrade to ADM 4.0.6.RNS1 or above |
Detail
-
-
Severity: High
-
CVSS3 Base Score: 8.7
-
CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
-
An Improper Privilege Management vulnerability was found in Asustor Data Master (ADM) allows an unprivileged local users to modify the storage devices configuration. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
-
Acknowledgement
Stéphane Chauveau (stephane@chauveau-central.net)
Revision
Revision |
Date |
Description |
---|---|---|
1 |
2023-08-23 |
Initial public release |
2 |
2023-08-23 |
CVE ID (CVE-2023-3699) is assigned for the issue |
3 |
2023-08-23 |
ADM 4.2.3.RK91 has been released for fixing the issue |
4 |
2023-11-29 |
ADM 4.0.6.RNS1 has been released for fixing the issue |
2023-11-29
Severity : Important
Status : Resolved
Statement
A Directory traversal vulnerability was found in Asustor Data Master (ADM) allows an remote unauthorized users to navigate beyond the intended directory structure. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
-
The issues had been fixed on ADM 4.2.3.RK91 and ADM 4.0.6.RNS1.
Affected products
Product |
Severity |
Fixed release availability |
---|---|---|
ADM 4.2 and 4.1 |
Important |
Upgrade to ADM 4.2.3.RK91 or above |
ADM 4.0 |
Important |
Upgrade to ADM 4.0.6.RNS1 or above |
Detail
-
-
Severity: High
-
CVSS3 Base Score: 8.5
-
CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
-
Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and create files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
-
-
-
Severity: High
-
CVSS3 Base Score: 8.5
-
CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
-
Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
-
Acknowledgement
atdog (@atdog_tw) and Lays (@_L4ys) of TRAPA Security
Revision
Revision |
Date |
Description |
---|---|---|
1 |
2023-08-23 |
Initial public release |
2 |
2023-08-23 |
CVE ID CVE-2023-3697 and CVE-2023-3698 are assigned for the issues |
3 |
2023-08-23 |
ADM 4.2.3.RK91 has been released for fixing the issues |
4 |
2023-11-29 |
ADM 4.0.6.RNS1 has been released for fixing the issues |
2023-11-29
Severity : Important
Status : Resolved
Statement
A Command Injection vulnerability was found in Asustor Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
-
The issue has been fixed on ADM 4.2.3.RK91 and ADM 4.0.6.RNS1.
Affected products
Product |
Severity |
Fixed release availability |
---|---|---|
ADM 4.2 and 4.1 |
Important |
Upgrade to ADM 4.2.3.RK91 or above |
ADM 4.0 |
Important |
Upgrade to ADM 4.0.6.RNS1 or above |
Detail
-
-
Severity: High
-
CVSS3 Base Score: 8.8
-
CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
-
Improper neutralization of special elements used in a command (‘Command Injection’) vulnerability in Asustor Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
-
Acknowledgement
atdog (@atdog_tw) and Lays (@_L4ys) of TRAPA Security
Revision
Revision |
Date |
Description |
---|---|---|
1 |
2023-08-23 |
Initial public release |
2 |
2023-08-23 |
CVE ID (CVE-2023-2910) is assigned for the issue |
3 |
2023-08-23 |
ADM 4.2.3.RK91 has been released for fixing the issue |
4 |
2023-11-29 |
ADM 4.0.6.RNS1 has been released for fixing the issue |