search menu icon-carat-right cmu-wordmark

CERT Coordination Center

NAS4Free version 9.1.0.1 contains a remote command execution vulnerability

Vulnerability Note VU#326830

Original Release Date: 2013-10-30 | Last Revised: 2013-10-30

Overview

NAS4Free version 9.1.0.1.804 and possibly earlier versions contain a remote code execution vulnerability (CWE-94).

Description

CWE-94: Improper Control of Generation of Code ('Code Injection')

NAS4Free version 9.1.0.1.804 and possibly earlier versions contain a remote code execution vulnerability. NAS4Free allows an authenticated user to post PHP code to an HTTP script and have the code executed remotely. By default, NAS4Free runs with root privileges. A remotely authenticated attacker can send an HTTP POST request that contains a malicious PHP file which can cause the script to run directly on the machine.

For more details, please see Tod Beardsley's Rapid7 blog post.

Impact

A remote authenticated attacker may be able to execute arbitrary code as root on the system.

Solution

We are currently unaware of a practical solution to this problem.

Vendor Information

326830
 
Affected   Unknown   Unaffected

NAS4Free

Notified:  October 08, 2013 Updated:  October 28, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 6.0 AV:N/AC:M/Au:S/C:P/I:P/A:P
Temporal 5.1 E:POC/RL:U/RC:UR
Environmental 1.3 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Tod Beardsley and Brandon Perry of Rapid7, Inc. for reporting this vulnerability.

This document was written by Adam Rauf.

Other Information

CVE IDs: CVE-2013-3631
Date Public: 2013-10-30
Date First Published: 2013-10-30
Date Last Updated: 2013-10-30 17:13 UTC
Document Revision: 28

Sponsored by CISA.