What are you looking for ?
Mobile Search Icon
Mobile Menu Icon
Infinidat
Articles_top

Asustor: Four Security Advisories Concerning ADM NAS OS

Issues fixed on ADM V.4.2.3.RK91.

This is a Press Release edited by StorageNewsletter.com on August 29, 2023 at 2:01 pm

Asustor, Inc. had published 4 security advisories on vulnerabilities found in Asustor Data Master (ADM) NAS OS.

Security advisory AS-2023-012: ADM

Severity : Important
Status : Ongoing

Statement
An Arbitrary File Movement vulnerability was found in ADM allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

  • The issue has been fixed on ADM 4.2.3.RK91.

Affected products

Product

Severity

Fixed release availability

ADM 4.2 and 4.1

Important

Upgrade to ADM 4.2.3.RK91 or above

ADM 4.0

Important

Ongoing

Detail

  • CVE-2023-4475

    • Severity: High

    • CVSS3 Base Score: 7.5

    • CVSS3 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

    • An Arbitrary File Movement vulnerability was found in Asustor Data Master (ADM) allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

Acknowledgement
Stéphane Chauveau (stephane@chauveau-central.net)

Revision

Revision

Date

Description

1

2023-08-23

Initial public release

2

2023-08-23

CVE ID (CVE-2023-4475) is assigned for the issue.

 

Security advisory AS-2023-011: ADM

Severity : Important
Status : Ongoing

Statement
An Improper Privilege Management vulnerability was found in Asustor Data Master (ADM) allows an unprivileged local users to modify the storage devices configuration. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

  • The issue has been fixed on ADM 4.2.3.RK91.

Affected products

Product

Severity

Fixed release availability

ADM 4.2 and 4.1

Important

Upgrade to ADM 4.2.3.RK91 or above

ADM 4.0

Important

Ongoing

Detail

  • CVE-2023-3699

    • Severity: High

    • CVSS3 Base Score: 8.7

    • CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

    • An Improper Privilege Management vulnerability was found in ADM allows an unprivileged local users to modify the storage devices configuration. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

Acknowledgement
Stéphane Chauveau (stephane@chauveau-central.net)

Revision

Revision

Date

Description

1

2023-08-23

Initial public release

2

2023-08-23

CVE ID (CVE-2023-3699) is assigned for the issue

 

Security advisory AS-2023-010: ADM

Severity : Important
Status : Ongoing

Statement
A Directory traversal vulnerability was found in Asustor Data Master (ADM) allows an remote unauthorized users to navigate beyond the intended directory structure. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

  • The issue has been fixed on ADM 4.2.3.RK91.

Affected products

Product

Severity

Fixed release availability

ADM 4.2 and 4.1

Important

Upgrade to ADM 4.2.3.RK91 or above

ADM 4.0

Important

Ongoing

Detail

  • CVE-2023-3697

    • Severity: High

    • CVSS3 Base Score: 8.5

    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

    • Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and create files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

  • CVE-2023-3698

    • Severity: High

    • CVSS3 Base Score: 8.5

    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

    • Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

Acknowledgement
atdog (@atdog_tw) and Lays (@_L4ys) of TRAPA Security

Revision

Revision

Date

Description

1

2023-08-23

Initial public release

2

2023-08-23

CVE ID CVE-2023-3697 and CVE-2023-3698 are assigned for the issues.

 

Security advisory AS-2023-009: ADM

Severity : Important
Status : Ongoing

Statement
A Command Injection vulnerability was found in ADM allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

  • The issue has been fixed on ADM 4.2.3.RK91.

Affected products

Product

Severity

Fixed release availability

ADM 4.2 and 4.1

Important

Upgrade to ADM 4.2.3.RK91 or above

ADM 4.0

Important

Ongoing

Detail

  • CVE-2023-2910

    • Severity: High

    • CVSS3 Base Score: 8.8

    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    • Improper neutralization of special elements used in a command (‘Command Injection’) vulnerability in Asustor Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

Acknowledgement
atdog (@atdog_tw) and Lays (@_L4ys) of TRAPA Security

Revision

Revision

Date

Description

1

2023-08-23

Initial public release

2

2023-08-23

CVE ID (CVE-2023-2910) is assigned for the issue.
Articles_bottom
AIC
ATTO
OPEN-E