CVE-2026-29516: Buffalo TeraStation Information Disclosure

CVE-2026-29516 Overview

Buffalo TeraStation NAS TS5400R firmware version 4.02-0.06 and prior contain an excessive file permissions vulnerability (CWE-732) that allows authenticated attackers to read the /etc/shadow file by uploading and executing a PHP file through the webserver. Attackers can exploit world-readable permissions on /etc/shadow to retrieve hashed passwords for all configured accounts including root.

Critical Impact

Authenticated attackers can retrieve password hashes for all system accounts including root, potentially leading to credential theft, privilege escalation, and full system compromise of the NAS device.

Affected Products

• Buffalo TeraStation NAS TS5400R firmware version 4.02-0.06
• Buffalo TeraStation NAS TS5400R firmware versions prior to 4.02-0.06

Discovery Timeline

• 2026-03-16 - CVE CVE-2026-29516 published to NVD
• 2026-03-17 - Last updated in NVD database

Technical Details for CVE-2026-29516

Vulnerability Analysis

This vulnerability stems from improper file system permissions configuration on the Buffalo TeraStation NAS TS5400R device. The /etc/shadow file, which stores hashed passwords for system accounts, is configured with world-readable permissions instead of the restrictive permissions typically required (usually 640 or 600). This misconfiguration allows any user with code execution capability on the system to read the contents of this sensitive file.

The attack requires authentication to the device, after which an attacker can upload a PHP file through the webserver interface. When executed, this PHP script can read the /etc/shadow file and expose password hashes for all configured accounts, including the root account. These hashes can then be subjected to offline cracking attacks to recover plaintext passwords.

Root Cause

The root cause is excessive file permissions (CWE-732) on the /etc/shadow file within the Buffalo TeraStation firmware. The file is configured with world-readable permissions, violating the principle of least privilege. This configuration error in the firmware allows any process running on the system to access sensitive password hash data that should only be readable by the root user or specific privileged processes.

Attack Vector

The attack is network-based and requires authenticated access to the device. An attacker with valid credentials to the Buffalo TeraStation web interface can exploit this vulnerability through the following process:

1. Authenticate to the TeraStation web management interface
2. Upload a malicious PHP file through the webserver functionality
3. Execute the PHP file to read the contents of /etc/shadow
4. Retrieve password hashes for all system accounts including root
5. Perform offline password cracking to recover plaintext credentials

The vulnerability requires high privileges (authenticated access) but involves low attack complexity with no user interaction required beyond the initial authentication.

Detection Methods for CVE-2026-29516

Indicators of Compromise

• Unexpected PHP files uploaded to web-accessible directories on the TeraStation device
• Web server logs showing execution of suspicious PHP scripts
• Access attempts to /etc/shadow or other sensitive system files from web processes
• Unusual file read operations by the web server process (typically httpd or similar)

Detection Strategies

• Monitor web server access logs for requests to unusual or recently uploaded PHP files
• Implement file integrity monitoring on the TeraStation device to detect unauthorized file uploads
• Review authentication logs for suspicious login patterns preceding file upload activity
• Analyze network traffic for exfiltration of data matching shadow file format patterns

Monitoring Recommendations

• Enable verbose logging on the Buffalo TeraStation web interface
• Configure alerting for new file uploads in web-accessible directories
• Monitor for privilege escalation attempts following any authenticated sessions
• Implement network-level monitoring for connections from the NAS to external systems that could indicate data exfiltration

How to Mitigate CVE-2026-29516

Immediate Actions Required

• Restrict network access to the Buffalo TeraStation management interface to trusted IP addresses only
• Review and disable any unnecessary file upload functionality on the device
• Audit user accounts and remove any unnecessary or suspicious accounts
• Change passwords for all accounts on the affected device, especially the root account
• Segment the NAS device from critical network segments to limit exposure

Patch Information

No vendor patch information is currently available in the CVE data. Organizations should monitor the Buffalo Americas website and the VulnCheck Advisory for firmware updates that address this vulnerability. Contact Buffalo support directly for guidance on remediation options.

Workarounds

• Implement network access controls to restrict who can access the TeraStation management interface
• Disable PHP execution on the web server if not required for device operation
• Place the affected device behind a firewall and limit access to essential management personnel only
• Consider replacing affected devices with alternatives that have active security support if no patch becomes available
• Implement strong, unique passwords for all accounts to reduce the impact if password hashes are compromised

# Network isolation example using iptables (apply on network firewall)
# Restrict access to TeraStation web interface (port 80/443) to management VLAN only
iptables -A FORWARD -d <terastation_ip> -p tcp --dport 80 -s <management_vlan> -j ACCEPT
iptables -A FORWARD -d <terastation_ip> -p tcp --dport 443 -s <management_vlan> -j ACCEPT
iptables -A FORWARD -d <terastation_ip> -p tcp --dport 80 -j DROP
iptables -A FORWARD -d <terastation_ip> -p tcp --dport 443 -j DROP