What are you looking for ?
Infinidat
Articles_top

Asustor Five Security Advisories for Resolved Vulnerabilities

Concerning OpenSSH, ADM 4.2 and ADM 4.0 NAS OSs, arbitrary file movement vulnerability, improper privilege management vulnerability, directory traversal vulnerability, and command Injection vulnerability found in Asustor Data Master

Asustor, Inc. had published 5 security advisories for resolved vulnerabilities.

AS-2023-013: OpenSSH

2023-11-29
Severity : Important
Status : Resolved

Statement
OpenSSH versions prior to 9.3p2 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data.

CVE-2023-38408 affected company’s products with ADM 4.2 and ADM 4.0 NAS OSs. Updates with OpenSSH 9.5p1 will be released as soon as possible.

  • OpenSSH 9.5p1 has been updated on ADM 4.2.5.RN33 and ADM 4.0.6.RNS1 to resolve the issue.

Affected products

Product

Severity

Fixed release availability

ADM 4.2 and 4.1

Important

Upgrade to ADM 4.2.5.RN33 or above

ADM 4.0

Important

Upgrade to ADM 4.0.6.RNS1 or above

Detail

  • CVE-2023-38408

    • Severity: Critical

    • The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

Reference

Revision

Revision

Date

Description

1

2023-10-25

Initial public release

2

2023-11-06

Release ADM 4.2.5.RN33 to update OpenSSH version for fixing the issue

3

2023-11-29

Release ADM 4.0.6.RNS1 to update OpenSSH version for fixing the issue

 

AS-2023-012: ADM

2023-11-29
Severity :
Important
Status :
Resolved

Statement
An Arbitrary File Movement vulnerability was found in Asustor Data Master (ADM) allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

  • The issue has been fixed on ADM 4.2.3.RK91 and ADM 4.0.6.RNS1.

Affected products

Product

Severity

Fixed release availability

ADM 4.2 and 4.1

Important

Upgrade to ADM 4.2.3.RK91 or above

ADM 4.0

Important

Upgrade to ADM 4.0.6.RNS1 or above

Detail

  • CVE-2023-4475

    • Severity: High

    • CVSS3 Base Score: 7.5

    • CVSS3 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

    • An Arbitrary File Movement vulnerability was found in Asustor Data Master (ADM) allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

Acknowledgement
Stéphane Chauveau (stephane@chauveau-central.net)

Revision

Revision

Date

Description

1

2023-08-23

Initial public release

2

2023-08-23

CVE ID (CVE-2023-4475) is assigned for the issue

3

2023-08-23

ADM 4.2.3.RK91 has been released for fixing the issue

4

2023-11-29

ADM 4.0.6.RNS1 has been released for fixing the issue

 

AS-2023-011: ADM

2023-11-29
Severity : Important
Status : Resolved

Statement
An Improper Privilege Management vulnerability was found in Asustor Data Master (ADM) allows an unprivileged local users to modify the storage devices configuration. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

  • The issue has been fixed on ADM 4.2.3.RK91 and ADM 4.0.6.RNS1.

Affected products

Product

Severity

Fixed release availability

ADM 4.2 and 4.1

Important

Upgrade to ADM 4.2.3.RK91 or above

ADM 4.0

Important

Upgrade to ADM 4.0.6.RNS1 or above

Detail

  • CVE-2023-3699

    • Severity: High

    • CVSS3 Base Score: 8.7

    • CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

    • An Improper Privilege Management vulnerability was found in Asustor Data Master (ADM) allows an unprivileged local users to modify the storage devices configuration. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

Acknowledgement
Stéphane Chauveau (stephane@chauveau-central.net)

Revision

Revision

Date

Description

1

2023-08-23

Initial public release

2

2023-08-23

CVE ID (CVE-2023-3699) is assigned for the issue

3

2023-08-23

ADM 4.2.3.RK91 has been released for fixing the issue

4

2023-11-29

ADM 4.0.6.RNS1 has been released for fixing the issue

 

AS-2023-010: ADM

2023-11-29
Severity : Important
Status : Resolved

Statement
A Directory traversal vulnerability was found in Asustor Data Master (ADM) allows an remote unauthorized users to navigate beyond the intended directory structure. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

  • The issues had been fixed on ADM 4.2.3.RK91 and ADM 4.0.6.RNS1.

Affected products

Product

Severity

Fixed release availability

ADM 4.2 and 4.1

Important

Upgrade to ADM 4.2.3.RK91 or above

ADM 4.0

Important

Upgrade to ADM 4.0.6.RNS1 or above

Detail

  • CVE-2023-3697

    • Severity: High

    • CVSS3 Base Score: 8.5

    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

    • Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and create files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

  • CVE-2023-3698

    • Severity: High

    • CVSS3 Base Score: 8.5

    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

    • Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

Acknowledgement
atdog (@atdog_tw) and Lays (@_L4ys) of TRAPA Security

Revision

Revision

Date

Description

1

2023-08-23

Initial public release

2

2023-08-23

CVE ID CVE-2023-3697 and CVE-2023-3698 are assigned for the issues

3

2023-08-23

ADM 4.2.3.RK91 has been released for fixing the issues

4

2023-11-29

ADM 4.0.6.RNS1 has been released for fixing the issues

 

AS-2023-009: ADM

2023-11-29
Severity : Important
Status : Resolved

Statement
A Command Injection vulnerability was found in Asustor Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

  • The issue has been fixed on ADM 4.2.3.RK91 and ADM 4.0.6.RNS1.

Affected products

Product

Severity

Fixed release availability

ADM 4.2 and 4.1

Important

Upgrade to ADM 4.2.3.RK91 or above

ADM 4.0

Important

Upgrade to ADM 4.0.6.RNS1 or above

Detail

  • CVE-2023-2910

    • Severity: High

    • CVSS3 Base Score: 8.8

    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    • Improper neutralization of special elements used in a command (‘Command Injection’) vulnerability in Asustor Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

Acknowledgement
atdog (@atdog_tw) and Lays (@_L4ys) of TRAPA Security

Revision

Revision

Date

Description

1

2023-08-23

Initial public release

2

2023-08-23

CVE ID (CVE-2023-2910) is assigned for the issue

3

2023-08-23

ADM 4.2.3.RK91 has been released for fixing the issue

4

2023-11-29

ADM 4.0.6.RNS1 has been released for fixing the issue

Articles_bottom
AIC
ATTO
OPEN-E