PT-2020-9201 · Asustor · Asustor Exfat Driver

Published

2020-03-18

Updated

2020-08-24

CVE-2019-11689

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions ASUSTOR exFAT Driver versions 1.0.0.r20 and earlier

Description An issue was discovered in the license validation process of the ASUSTOR exFAT Driver. The exfat.cgi and exfatctl components fail to properly validate server responses, passing unsanitized text to the system shell. This results in code execution as root.

Recommendations For ASUSTOR exFAT Driver versions 1.0.0.r20 and earlier, consider disabling the exfat.cgi and exfatctl components until a patch is available to prevent code execution as root. Restrict access to these components to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2019-11689

Affected Products

Asustor Exfat Driver

PT-2020-9201 · Asustor · Asustor Exfat Driver

CVE-2019-11689

Weakness Enumeration

Related Identifiers

Affected Products

References · 6