ASUSTOR Data Master < 3.1.6 Multiple Vulnerabilities

High Nessus Plugin ID 112115

Synopsis

A web interface for ASUSTOR NAS devices running on the remote web server is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the ASUSTOR Data Master (ADM) web interface running on the remote web server is prior to 3.1.6. It is, therefore, affected by multiple vulnerabilities:

 - CVE-2018-15694: Authenticated File Upload

 - CVE-2018-15695: Authenticated Arbitrary File Deletion

 - CVE-2018-15696: Authenticated Account Enumeration

 - CVE-2018-15697: Authenticated File Disclosure

 - CVE-2018-15698: Authenticated File Disclosure

 - CVE-2018-15699: MITM XSS

Solution

Upgrade to ASUSTOR Data Master (ADM) version 3.1.6 or later.

See Also

https://www.tenable.com/security/research/tra-2018-22

http://www.nessus.org/u?6f7da7ef

Plugin Details

Severity: High

ID: 112115

File Name: asustor_data_master_3_1_6.nasl

Version: 1.1

Type: remote

Family: CGI abuses

Published: 2018/08/24

Modified: 2018/08/24

Dependencies: 111233

Risk Information

Risk Factor: High

CVSS Score Source: manual

CVSS Score Rationale: Authenticated remote code execution

CVSSv2

Base Score: 8.5

Vector: CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C

CVSSv3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:asustor:data_master

Required KB Items: installed_sw/ASUSTOR Data Master

Patch Publication Date: 2018/08/15

Vulnerability Publication Date: 2018/08/24

Reference Information

CVE: CVE-2018-15694, CVE-2018-15695, CVE-2018-15696, CVE-2018-15697, CVE-2018-15698, CVE-2018-15699