당사는 당사 웹페이지를 개선하기 위해 쿠키를 사용합니다. 당사의 쿠키 정책 을 읽으십시오.

ASUSTOR 제품 보안 권고

AS-2022-011: ADM

2022-08-29

Severity

Important

Status

Resolved

Statement

A vulnerability has been found that allows remote authenticated users to execute arbitrary code through the WebDAV protocol in susceptible versions of ASUSTOR Data Master (ADM). The issue has been resolved on ADM 3.5.9.RWM1, ADM 4.0.5.RWM1 and ADM 4.1.0.RKM1.


Affected Products

Product Severity Fixed Release Availability
ADM 4.1 Important Upgrade to 4.1.0.RKM1 or above.
ADM 4.0 Important Upgrade to 4.0.5.RWM1 or above.
ADM 3.5 Important Upgrade to 3.5.9.RWM1 or above.

Mitigation

ASUSTOR strongly recommends keeping your ASUSTOR NAS up to date as updates provide security fixes. Before updating ADM, administrators can disable WebDAV as a temporary mitigation to this specific vulnerability.


Detail

  • CVE-2022-37398
    • Severity: High
    • CVSS3 Base Score: 7.1
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
    • A stack-based buffer overflow vulnerability was found inside ADM when using WebDAV due to the lack of data size validation. An attacker can exploit this vulnerability to run arbitrary code. Affected ADM versions include: 3.5.9.RUE3 and below, 4.0.5.RVI1 and below as well as 4.1.0.RJD1 and below.

Acknowledgement

Nikita Abramov from Positive Technologies


Revision

Revision Date Description
1 2022-07-28 Initial public release.
2 2022-08-05 CVE ID (CVE-2022-37398) and CVE Record assigned for the issue.
3 2022-08-29 Release ADM 4.1.0.RKM1, ADM 4.0.5.RWM1 and ADM 3.5.9.RWM1 for fixing the issue.