I wasn’t sure where else to post this, so here it goes for now.
I recently purchased a Terramaster F2-210 NAS. It is a great product, however I discovered something rather unsettling about it security wise that LevelOneTechs may wish to mention in a video to protect others who haven’t noticed. Essentially, the NAS is exposing itself to the world without permission, assuming it is running on a router that has uPnP enabled. This has a CVE now which can be viewed here NVD - CVE-2021-30127.
I also have more details which I’d be happy to share with LevelOneTechs privately. Please let me know if there is interest in this.
Irony, I recently read How NAT traversal works · Tailscale Blog … and was amazed at what lengths they go to, to help connect two devices across the internet. And here comes Terramaster doing one of those things randomly in a completely wrong context.
6 weeks ago I informed them, and have heard nothing since. Is there some email or contact form I can use to get in front of Wendel + team? I’ve got some other scary details I don’t want to publicise because they scare me, but may motivate them into writing/talking about this publicly.
You can probably send some of the scary details to @wendell over email, and if worded nicely he can hook you up with his marketing contact.
Usually marketing/PR/Engineers working in security can find a way to work together when it comes to stuff like this.
IMHO, 6 weeks / half a quarter is usually reasonably long and plenty of time to do a fix and a point release for serious software security issues. If not - I’m sorry - but keep in mind that many organizations are managed in a way where this is possible despite pandemics and fires and civil unrest; e.g. in between babies and bereavements and illness across several teams I work across we’re down between 50% and 2/3 of staff at the moment - we’re not the most productive bunch at the moment, but we know how to prioritize to get the most important stuff done, and how to monitor and manage burnout and other issues despite everything. (for people/product/project managers this is simple math - it should be part of their core skill set).
To be clear, they did respond the same day, I don’t want to disparage them here. Their response was that they’d look into it, but when I then asked for a timeline/update, they were radio silent. I don’t think they saw it as an issue, almost a feature. But these things being publicly accessible is very bad news bears.