我們使用 cookie 來幫助我們改善網頁體驗。請閱讀我們的 Cookie 政策

AS-2022-011: ADM

2022-08-29

Severity

Important

Status

Resolved


Statement

A vulnerability has been found that allows remote authenticated users to execute arbitrary code through the WebDAV protocol in susceptible versions of ASUSTOR Data Master (ADM). The issue has been resolved on ADM 3.5.9.RWM1, ADM 4.0.5.RWM1 and ADM 4.1.0.RKM1.


Affected Products

Product Severity Fixed Release Availability
ADM 4.1 Important Upgrade to 4.1.0.RKM1 or above.
ADM 4.0 Important Upgrade to 4.0.5.RWM1 or above.
ADM 3.5 Important Upgrade to 3.5.9.RWM1 or above.

Mitigation

ASUSTOR strongly recommends keeping your ASUSTOR NAS up to date as updates provide security fixes. Before updating ADM, administrators can disable WebDAV as a temporary mitigation to this specific vulnerability.


Detail

  • CVE-2022-37398
    • Severity: High
    • CVSS3 Base Score: 7.1
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
    • A stack-based buffer overflow vulnerability was found inside ADM when using WebDAV due to the lack of data size validation. An attacker can exploit this vulnerability to run arbitrary code. Affected ADM versions include: 3.5.9.RUE3 and below, 4.0.5.RVI1 and below as well as 4.1.0.RJD1 and below.

Acknowledgement

Nikita Abramov from Positive Technologies


Revision

Revision Date Description
1 2022-07-28 Initial public release.
2 2022-08-05 CVE ID (CVE-2022-37398) and CVE Record assigned for the issue.
3 2022-08-29 Release ADM 4.1.0.RKM1, ADM 4.0.5.RWM1 and ADM 3.5.9.RWM1 for fixing the issue.