ASUSTOR Data Master < 3.1.6 Multiple Vulnerabilities

High Nessus Plugin ID 112115

Synopsis

A web interface for ASUSTOR NAS devices running on the remote web server is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the ASUSTOR Data Master (ADM) web interface running on the remote web server is prior to 3.1.6. It is, therefore, affected by multiple vulnerabilities:

 - CVE-2018-15694: Authenticated File Upload

 - CVE-2018-15695: Authenticated Arbitrary File Deletion

 - CVE-2018-15696: Authenticated Account Enumeration

 - CVE-2018-15697: Authenticated File Disclosure

 - CVE-2018-15698: Authenticated File Disclosure

 - CVE-2018-15699: MITM XSS

Solution

Upgrade to ASUSTOR Data Master (ADM) version 3.1.6 or later.

See Also

https://www.tenable.com/security/research/tra-2018-22

http://www.nessus.org/u?6f7da7ef

Plugin Details

Severity: High

ID: 112115

File Name: asustor_data_master_3_1_6.nasl

Version: 1.3

Type: remote

Family: CGI abuses

Published: 2018/08/24

Updated: 2019/11/04

Dependencies: 111233

Risk Information

Risk Factor: High

CVSS Score Source: CVE-2018-15695

CVSS v2.0

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:asustor:data_master

Required KB Items: installed_sw/ASUSTOR Data Master

Exploit Ease: No known exploits are available

Patch Publication Date: 2018/08/15

Vulnerability Publication Date: 2018/08/24

Reference Information

CVE: CVE-2018-15694, CVE-2018-15695, CVE-2018-15696, CVE-2018-15697, CVE-2018-15698, CVE-2018-15699