CVE-2018-13361 in TerraMaster TOS
Summary
by MITRE
User enumeration in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to list all system users via the "modgroup" parameter.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/09/2024
The vulnerability identified as CVE-2018-13361 represents a critical user enumeration flaw in TerraMaster TOS version 3.1.03 affecting the usertable.php component. This vulnerability specifically exploits the "modgroup" parameter to enable unauthorized attackers to enumerate all system users within the affected environment. The flaw stems from insufficient input validation and access control mechanisms that fail to properly restrict user enumeration capabilities, allowing malicious actors to systematically discover valid user accounts through parameter manipulation.
From a technical perspective, this vulnerability operates as a classic information disclosure weakness that falls under CWE-200, which defines information exposure vulnerabilities where sensitive information is unintentionally revealed to unauthorized actors. The vulnerability exists because the usertable.php script does not adequately validate or sanitize the "modgroup" parameter before processing it, enabling attackers to craft specific requests that return user account information. This type of vulnerability is particularly dangerous as it provides attackers with a comprehensive list of valid usernames that can subsequently be used for targeted attacks including brute force authentication attempts, social engineering campaigns, or privilege escalation exploits.
The operational impact of this vulnerability extends beyond simple user enumeration, creating a significant security risk for organizations deploying TerraMaster TOS 3.1.03. Attackers can leverage this weakness to build detailed profiles of system users, potentially identifying administrative accounts, users with elevated privileges, or accounts with specific roles within the system. This information can then be used to conduct more sophisticated attacks such as credential stuffing, password spraying, or targeted phishing campaigns. The vulnerability aligns with ATT&CK technique T1087.001 which covers account discovery through enumeration of local system accounts, and T1566.001 which involves social engineering through credential harvesting.
Organizations utilizing TerraMaster TOS 3.1.03 must implement immediate mitigations to address this vulnerability. The primary recommendation involves implementing proper input validation and parameter sanitization for all user-facing interfaces, particularly those handling account management functions. Access controls should be strengthened to ensure that only authorized administrative users can perform user enumeration activities, with proper authentication checks implemented before any user listing operations. Additionally, the affected usertable.php component should be updated to version 3.1.04 or later, which contains the necessary patches to prevent unauthorized user enumeration. Network-level protections such as rate limiting and access control lists can also help mitigate exploitation attempts, while comprehensive monitoring should be implemented to detect anomalous enumeration activities that may indicate active exploitation attempts. The vulnerability demonstrates the critical importance of proper access control implementation and input validation in preventing information disclosure attacks that can significantly compromise system security posture.