Security issue in Terramaster NAS products

I wasn’t sure where else to post this, so here it goes for now.

I recently purchased a Terramaster F2-210 NAS. It is a great product, however I discovered something rather unsettling about it security wise that LevelOneTechs may wish to mention in a video to protect others who haven’t noticed. Essentially, the NAS is exposing itself to the world without permission, assuming it is running on a router that has uPnP enabled. This has a CVE now which can be viewed here NVD - CVE-2021-30127.

I also have more details which I’d be happy to share with LevelOneTechs privately. Please let me know if there is interest in this.

You can read more about this here: Terramaster NAS exposing itself with UPNP as well as in the discussions I link in that blog post.

I hope to see this in a news post or similar!

4 Likes

Irony, I recently read How NAT traversal works · Tailscale Blog … and was amazed at what lengths they go to, to help connect two devices across the internet. And here comes Terramaster doing one of those things randomly in a completely wrong context.

Thanks, very good info as I don’t use nor need Upnp and just disabled this function on my ASUS router.

What was the response from Terramaster when reported to them?

Huh, looks like the intended default is to not connect to the internet:

https://www.terra-master.com/uk/faq/category/detail/?id=4136

6 weeks ago I informed them, and have heard nothing since.

1 Like

6 weeks ago I informed them, and have heard nothing since. Is there some email or contact form I can use to get in front of Wendel + team? I’ve got some other scary details I don’t want to publicise because they scare me, but may motivate them into writing/talking about this publicly.

1 Like

You can probably send some of the scary details to @wendell over email, and if worded nicely he can hook you up with his marketing contact.

Usually marketing/PR/Engineers working in security can find a way to work together when it comes to stuff like this.

IMHO, 6 weeks / half a quarter is usually reasonably long and plenty of time to do a fix and a point release for serious software security issues. If not - I’m sorry - but keep in mind that many organizations are managed in a way where this is possible despite pandemics and fires and civil unrest; e.g. in between babies and bereavements and illness across several teams I work across we’re down between 50% and 2/3 of staff at the moment - we’re not the most productive bunch at the moment, but we know how to prioritize to get the most important stuff done, and how to monitor and manage burnout and other issues despite everything. (for people/product/project managers this is simple math - it should be part of their core skill set).

2 Likes

As a S.eng myself, I relate heavily. I’ve send Wendell a message to see if he’s interested in covering this.

They should have answered in a month, if only to acknowledge your message… so fair play.

And nice one, not just blurting all the details

To be clear, they did respond the same day, I don’t want to disparage them here. Their response was that they’d look into it, but when I then asked for a timeline/update, they were radio silent. I don’t think they saw it as an issue, almost a feature. But these things being publicly accessible is very bad news bears.

1 Like

Terramaster appear to have released a fix for this, although I have not tested it yet. TOS Patch1.06 for ARM/X86 models for TOS4.2.06~4.2.09 - TerraMaster Official Forum

2 Likes