On another forum (https://nascompares.com/2024/07/02/the- ... right-now/) it has been announced in the last few days that a SSH vulnerability for OpenSSH has been discovered and that the SSHd (Secure Shell Daemon) should be patched as soon as possible.
The affected SSHd range is 8.5p1 to 9.7p1.
When I run the command "ssd -V" on my Terramaster NAS F4-423 running TOS 6.0.229-00147 I get the response: OpenSSH_8.8p1, OpenSSL 1.1.1l 24 Aug 2021. So, from what I can determine the TOS 6.0.229-00147 software requires a patch for the Open SSH it uses.
From the above referenced website, they explained that practical application of the vulnerability is difficult, but not impossible. So probably a limited vulnerability for most TerraMaster NAS users if their network configurations are securely set up. Nevertheless, still a vulnerability. The relevant assessment is quoted below:
How Much Should NAS Users Be Concerned About the OpenSSH Vulnerability?
The risk posed to NAS users by the regreSSHion vulnerability is debatable, due to several mitigating factors that make exploitation highly impractical. Firstly, the NAS system would need to be running an operating system that includes the specific affected versions of OpenSSH (8.5p1 to 9.7p1). Additionally, the system must be internet-facing with SSH access enabled, making it accessible to remote attackers. Even under these conditions, the exploit requires an extended period of sustained access attempts, typically over many hours, to achieve the necessary memory corruption to successfully exploit the race condition. During this time, a vigilant system administrator monitoring access logs would likely detect the suspicious activity and take corrective action, further reducing the likelihood of a successful attack.
Moreover, many NAS configurations are behind firewalls and utilize network segmentation, limiting the exposure of SSH services to the wider internet. Implementing strong authentication methods, such as multi-factor authentication (MFA), further protects against unauthorized access attempts. Regularly updating the NAS firmware and the OpenSSH version also mitigates the risk by ensuring that known vulnerabilities are patched. In practical terms, an attacker would need to sustain a continuous and sophisticated attack vector without interruption, which is highly unlikely in well-managed network environments. These layers of defense, combined with vigilant monitoring and best security practices, make the successful exploitation of regreSSHion on NAS systems a remote possibility. Users are advised to follow recommended security measures to ensure their systems remain secure against such threats.
What is Terramaster doing to fix the regreSSHion Open SSH vulnerability and when will it be implemented?
The affected SSHd range is 8.5p1 to 9.7p1.
When I run the command "ssd -V" on my Terramaster NAS F4-423 running TOS 6.0.229-00147 I get the response: OpenSSH_8.8p1, OpenSSL 1.1.1l 24 Aug 2021. So, from what I can determine the TOS 6.0.229-00147 software requires a patch for the Open SSH it uses.
From the above referenced website, they explained that practical application of the vulnerability is difficult, but not impossible. So probably a limited vulnerability for most TerraMaster NAS users if their network configurations are securely set up. Nevertheless, still a vulnerability. The relevant assessment is quoted below:
How Much Should NAS Users Be Concerned About the OpenSSH Vulnerability?
The risk posed to NAS users by the regreSSHion vulnerability is debatable, due to several mitigating factors that make exploitation highly impractical. Firstly, the NAS system would need to be running an operating system that includes the specific affected versions of OpenSSH (8.5p1 to 9.7p1). Additionally, the system must be internet-facing with SSH access enabled, making it accessible to remote attackers. Even under these conditions, the exploit requires an extended period of sustained access attempts, typically over many hours, to achieve the necessary memory corruption to successfully exploit the race condition. During this time, a vigilant system administrator monitoring access logs would likely detect the suspicious activity and take corrective action, further reducing the likelihood of a successful attack.
Moreover, many NAS configurations are behind firewalls and utilize network segmentation, limiting the exposure of SSH services to the wider internet. Implementing strong authentication methods, such as multi-factor authentication (MFA), further protects against unauthorized access attempts. Regularly updating the NAS firmware and the OpenSSH version also mitigates the risk by ensuring that known vulnerabilities are patched. In practical terms, an attacker would need to sustain a continuous and sophisticated attack vector without interruption, which is highly unlikely in well-managed network environments. These layers of defense, combined with vigilant monitoring and best security practices, make the successful exploitation of regreSSHion on NAS systems a remote possibility. Users are advised to follow recommended security measures to ensure their systems remain secure against such threats.
What is Terramaster doing to fix the regreSSHion Open SSH vulnerability and when will it be implemented?
Statistics: Posted by fcs001fcs — Yesterday, 19:30