CVE-2022-4221 - OpenCVE

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Asus NAS-M25 allows an unauthenticated attacker to inject arbitrary OS commands via unsanitized cookie values.This issue affects NAS-M25: through 1.0.1.7.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Asus	Nas-m25 Nas-m25 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:asus:nas-m25_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:asus:nas-m25:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://onekey.com/blog/security-advisory-asus-m25-nas-vulnerability/

History

No history.

MITRE

Status: PUBLISHED

Assigner: ONEKEY

Published: 2022-12-01T09:26:48.459Z

Updated: 2024-08-03T01:34:49.843Z

Reserved: 2022-11-30T00:08:16.735Z

Link: CVE-2022-4221

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-01T10:15:09.863

Modified: 2023-11-07T03:57:13.937

Link: CVE-2022-4221

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-4221", "assignerOrgId": "2d533b80-6e4a-4e20-93e2-171235122846", "state": "PUBLISHED", "assignerShortName": "ONEKEY", "requesterUserId": "995fc484-d492-4a15-aa23-2c0525a3aa21", "dateReserved": "2022-11-30T00:08:16.735Z", "datePublished": "2022-12-01T09:26:48.459Z", "dateUpdated": "2024-08-03T01:34:49.843Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "NAS-M25", "vendor": "Asus", "versions": [{"lessThanOrEqual": "1.0.1.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Q. Kaiser, ONEKEY Research Lab"}, {"lang": "en", "type": "tool", "user": "00000000-0000-4000-9000-000000000000", "value": "ONEKEY analysis platform"}], "datePublic": "2022-12-01T09:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Asus NAS-M25 allows an unauthenticated attacker to inject arbitrary OS commands via unsanitized cookie values.<p>This issue affects NAS-M25: through 1.0.1.7.</p>"}], "value": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Asus NAS-M25 allows an unauthenticated attacker to inject arbitrary OS commands via unsanitized cookie values.This issue affects NAS-M25: through 1.0.1.7.\n\n"}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2d533b80-6e4a-4e20-93e2-171235122846", "shortName": "ONEKEY", "dateUpdated": "2022-12-01T09:26:48.459Z"}, "references": [{"url": "https://onekey.com/blog/security-advisory-asus-m25-nas-vulnerability/"}], "source": {"discovery": "UNKNOWN"}, "title": "OS command injection in ASUS M25 NAS", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:34:49.843Z"}, "title": "CVE Program Container", "references": [{"url": "https://onekey.com/blog/security-advisory-asus-m25-nas-vulnerability/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:asus:nas-m25_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C378BD92-0E87-4854-8798-1BEEF58E9A6E", "versionEndIncluding": "1.0.1.7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:asus:nas-m25:-:*:*:*:*:*:*:*", "matchCriteriaId": "5A3EA751-D58E-4F6B-B29C-5C842365B5F5", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Asus NAS-M25 allows an unauthenticated attacker to inject arbitrary OS commands via unsanitized cookie values.This issue affects NAS-M25: through 1.0.1.7.\n\n"}, {"lang": "es", "value": "La neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de comando del Sistema Operativo ('inyecci\u00f3n de comando del Sistema Operativo') en Asus NAS-M25 permite que un atacante no autenticado inyecte comandos del Sistema Operativo arbitrarios a trav\u00e9s de valores de cookies no sanitizados. Este problema afecta a NAS-M25: hasta 1.0.1.7."}], "id": "CVE-2022-4221", "lastModified": "2023-11-07T03:57:13.937", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "research@onekey.com", "type": "Secondary"}]}, "published": "2022-12-01T10:15:09.863", "references": [{"source": "research@onekey.com", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "url": "https://onekey.com/blog/security-advisory-asus-m25-nas-vulnerability/"}], "sourceIdentifier": "research@onekey.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "research@onekey.com", "type": "Secondary"}]}