Sonar finds 2 critical code vulns in personal cloud system CasaOS
October 2023 by SonarSource
The SonarSource Research Team has uncovered two critical code vulnerabilities in the personal cloud system CasaOS, which was just published in a blog post today. These vulnerabilities (1, 2) pose both a consumer and an enterprise issue. CasaOS is shipped with some popular devices like the ZimaBoard, and some companies also run CasaOS.
As we’ve seen during the LastPass compromise, threat actors will exploit software deployed on employees’ personal devices to reach the companies they target. CasaOS is shipped by default with several multimedia servers, and is quite popular in general.
Here are some additional details:
• The two vulnerabilities have a CVSS score of 9.8/10
• The Sonar researcher who discovered them says they are among the easiest vulns he has found in his career, both to find and to exploit
• While Sonar is releasing the technical details of its findings several months after the vendor addressed them, Sonar was made aware of public exploits based on the study of the patch only 10 days after the security release. That means that all unpatched instances are already at risk.
• CasaOS users running a vulnerable version should treat their instances as compromised. Sonar urges all CasaOS users to upgrade their instances to the latest available release.
• Personal cloud systems should not be exposed on the Internet, as they may give threat actors a foothold to internal networks and confidential data.