CVE-2022-24989 Overview
CVE-2022-24989 is a critical remote code execution vulnerability affecting TerraMaster NAS devices running TerraMaster Operating System (TOS) through version 4.2.30. The vulnerability allows unauthenticated remote attackers from the WAN to execute arbitrary code as root by exploiting improper input validation in the raidtype and diskstring parameters of the api.php?mobile/createRaid URI endpoint.
This vulnerability is classified as a Command Injection flaw (CWE-74) that occurs due to the use of popen() without proper sanitization, enabling attackers to inject shell metacharacters and achieve PHP Object Instantiation leading to complete system compromise.
Critical Impact
Unauthenticated remote attackers can achieve root-level code execution on vulnerable TerraMaster NAS devices, potentially leading to complete device takeover, data theft, ransomware deployment, or use of the compromised device as a pivot point for further network attacks.
Affected Products
- TerraMaster Operating System through version 4.2.30
- TerraMaster F-Series NAS (F2-210, F2-221, F2-223, F2-422, F2-423, F4-421, F4-422, F4-423, F5-221, F5-422)
- TerraMaster T-Series NAS (T6-423, T9-423, T9-450, T12-423, T12-450)
- TerraMaster U-Series NAS (U4-111, U4-211, U4-423, U8-111, U8-322-9100, U8-423, U8-522-9400, U8-722-2224, U12-322-9100, U12-423, U12-722-2224, U16-322-9100, U16-722-2224, U24-722-2224)
Discovery Timeline
- 2023-08-20 - CVE-2022-24989 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-24989
Vulnerability Analysis
The vulnerability exists in the TerraMaster Operating System's web API, specifically in the RAID creation functionality exposed through api.php. The mobile/createRaid endpoint accepts user-controlled parameters (raidtype and diskstring) that are passed to system commands via PHP's popen() function without adequate input sanitization.
This design flaw creates a classic command injection scenario where an attacker can embed shell metacharacters (such as semicolons, backticks, or pipe characters) within the raidtype parameter. When the server processes the malicious request, the injected commands execute with root privileges, as the NAS web service typically runs with elevated permissions.
The vulnerability is particularly dangerous because it can be exploited remotely over the WAN without authentication. Additionally, researchers have noted that credentials obtained through exploitation of the related CVE-2022-24990 vulnerability can be leveraged in conjunction with this flaw, creating a powerful attack chain.
Root Cause
The root cause of CVE-2022-24989 is the use of PHP's popen() function to execute system commands with user-supplied input that lacks proper sanitization. The raidtype parameter is directly concatenated into a shell command string without escaping special characters or validating against an allowlist of expected values.
This represents a fundamental secure coding failure where untrusted user input is passed to a command execution function. The lack of input validation, combined with the privileged execution context, transforms what should be a simple RAID configuration endpoint into a remote code execution vector.
Attack Vector
The attack is network-based and can be executed remotely over the WAN without requiring any authentication or user interaction. An attacker identifies a vulnerable TerraMaster NAS device exposed to the internet and crafts a malicious HTTP request to the api.php?mobile/createRaid endpoint.
By injecting shell metacharacters into the raidtype parameter, the attacker can append arbitrary commands that execute with root privileges when the server processes the request. This allows for immediate command execution, enabling activities such as downloading and executing malware, establishing reverse shells, exfiltrating sensitive data, or deploying ransomware. For detailed technical analysis, see the Octagon Blog CVE-2022-24990 Analysis.
Detection Methods for CVE-2022-24989
Indicators of Compromise
- Unexpected HTTP POST requests to /api.php?mobile/createRaid containing shell metacharacters (;, |, `, $()) in the raidtype or diskstring parameters
- Unusual processes spawned by the web server process, particularly reverse shells or command interpreters (e.g., /bin/sh, /bin/bash, nc, wget, curl)
- Unexpected outbound network connections from the NAS device to external IP addresses, especially on non-standard ports
- New or modified files in web-accessible directories or system locations such as /tmp, /var/tmp, or cron directories
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing shell metacharacters in the mobile/createRaid API parameters
- Monitor web server access logs for requests to api.php?mobile/createRaid from external IP addresses
- Deploy network intrusion detection signatures to identify exploitation attempts targeting this vulnerability
- Use endpoint detection and response (EDR) solutions to identify suspicious process chains where the web server spawns shell processes
Monitoring Recommendations
- Enable comprehensive logging on TerraMaster NAS devices and forward logs to a centralized SIEM for analysis
- Configure alerts for any HTTP requests to the mobile/createRaid endpoint originating from external networks
- Monitor for unusual process execution patterns on the NAS device, particularly shell commands executed as root by the web server
- Implement network segmentation and monitor traffic flows between NAS devices and external networks
How to Mitigate CVE-2022-24989
Immediate Actions Required
- Update TerraMaster Operating System to a version newer than 4.2.30 that includes patches for this vulnerability
- If immediate patching is not possible, disable WAN access to the NAS management interface immediately
- Place vulnerable NAS devices behind a firewall or VPN and restrict access to trusted networks only
- Conduct a forensic review of affected systems to identify any indicators of prior exploitation
Patch Information
TerraMaster users should update their devices to the latest firmware version that addresses this vulnerability. Check the TerraMaster Forum Discussion for official announcements regarding security updates. Ensure automatic updates are enabled to receive future security patches promptly.
Workarounds
- Disable remote WAN access to the TerraMaster NAS management interface until the device can be patched
- Implement strict firewall rules to block external access to TCP ports used by the NAS web interface (typically ports 80, 443, and 8181)
- Use a VPN to access the NAS remotely instead of exposing the web interface directly to the internet
- Consider network segmentation to isolate NAS devices from critical network resources
# Example: Block external access to TerraMaster NAS ports using iptables
# Run these commands on your network firewall/router
# Block HTTP access from WAN
iptables -A INPUT -p tcp --dport 80 -i eth0 -j DROP
# Block HTTPS access from WAN
iptables -A INPUT -p tcp --dport 443 -i eth0 -j DROP
# Block TerraMaster default management port from WAN
iptables -A INPUT -p tcp --dport 8181 -i eth0 -j DROP
# Allow access only from internal network (adjust 192.168.1.0/24 to your network)
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8181 -s 192.168.1.0/24 -j ACCEPT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
