□ Overview
o EFM networks released security update to address CSRF vulnerability in EFM product.
□ Description
o This vulnerability occurs in user accounts creation and deleteion related pages of IPTIME NAS products.
o The vulnerability could be exploited by a lack of validation when a POST request is made to this page.
o An attacker can use this vulnerability to or delete user accounts, or to escalate arbitrary user privileges.
□ Affected Product
□ Solution
o Update firmware over IPTIME NAS 1.4.86 version or higher.
□ Reference
[1] https://iptime.com/iptime/
□ Acknowledgements
o Thanks to Jaeuk Shin for reporting this vulnerability.
□ 작성 : 침해사고분석단 취약점분석팀
o EFM networks released security update to address CSRF vulnerability in EFM product.
| Vulnerability Type | Impact | Severity | CVSS Score | CVE ID |
|---|---|---|---|---|
| Cross Site Request Forgery |
Privilege escalation, user account creation/deletion |
High | 8.0 | CVE-2022-23771 |
□ Description
o This vulnerability occurs in user accounts creation and deleteion related pages of IPTIME NAS products.
o The vulnerability could be exploited by a lack of validation when a POST request is made to this page.
o An attacker can use this vulnerability to or delete user accounts, or to escalate arbitrary user privileges.
□ Affected Product
| Product | Version | Platform |
|---|---|---|
| NAS1dual, NAS2dual, NAS4dual | prior of 1.4.86 | Linux, Windows and etc.. |
□ Solution
o Update firmware over IPTIME NAS 1.4.86 version or higher.
□ Reference
[1] https://iptime.com/iptime/
□ Acknowledgements
o Thanks to Jaeuk Shin for reporting this vulnerability.
□ 작성 : 침해사고분석단 취약점분석팀