Security Notices for Buffalo TeraStations
Buffalo TeraStations use a closed operating system that does not allow users to access the OS, install programs, or change the code, thus closing off many cyberattack vectors.
Many of our customers are running security scanning software that identify versioning information of the various network services provided by the TeraStation and report on known vulnerabilities associated with that software.
Buffalo is committed to the security of our customers data. We will investigate and report on the various security vulnerabilities that may affect our systems, and publish any remediation or the results of investigations here.
The list of systems supported with this reporting are:
- TeraStation 7010 Series
- TeraStation 6000 Series
- TeraStation 5020 / 3020 Series
- TeraStation 5010 / 3010 Series
Vulnerabities on other systems will be addressed according to their severity, and users should consult the Firmware Update notes for a history of security patches applied.
For environments where regulatory compliance requires specific responses to vulnerability scanning sortware, Buffalo recommends the use of the above systems.
Report Vulnerabilities
Please contact: security@buffaloamericas.com to report security issues that might affect Buffalo TeraStations.
Please note that this e-mail address is used for monitoring potential product security issues. Any and all replies may not occur unless further information is required or supplied. For technical support of Buffalo products, please visit our Support page instead.
Issue Name | Status | Severity | CVE | Last Updated | Affected Supported TeraStations | Notes |
---|---|---|---|---|---|---|
SSL Security Ticket Cannot be trusted | Resolved | Low | N/A | 3/10/2023 | None / All | This is an expected scan result until a certificate issued by a certifying authority is installed by the administrator |
Resolved | High | CVE-1999-0505 | 12/21/2022 | None | Configuration needed. Refer to Vulnerability Page. | |
Not Affected | Medium | CVE-2003-1418 | 3/16/2023 | None | ||
Resolved | Medium | CVE-2004-2761 | 12/21/2022 | None | Configuration needed. Refer to vulnerability page. | |
Not Affected | Low | CVE-2007-1858 | 3/10/2023 | None | ||
Open SSH when UseLogin feature is enabled | Not Affected | High | CVE-2015-8325 | 3/10/2023 | None | |
Not Affected | High | CVE-2016-1908 | 3/10/2023 | None | ||
Denial of Service Vulnerability | Resolved | High | CVE-2016-2177 | 3/10/2023 | TS5010 | Upgrade to firmware 4.80 or later |
Denial of Service (DoS) Vulnerability in OpenSSL DTLS | Not Affected | High | CVE-2016-2179 | 3/10/2023 | None | |
Denial of Service (DoS) Vulnerability in OpenSSL crypto/bn/bn_print.c | Ongoing | High | CVE-2016-2182 | 3/16/2023 | TS6000 | |
Resolved | High | CVE-2016-2183 | 3/10/2023 | TS5010 | Update Firmware to 4.32 or later. | |
Denial of Service (DoS) Vulnerability in OpenSSL's ssl/t1_lib.c | Ongoing | High | CVE-2016-6302 | 3/10/2023 | TS6000 | |
Not Affected | High | CVE-2016-6304 | 3/10/2023 | None | ||
Resolved | High | CVE-2016-10009 | 7/12/2023 | TS6000 | Update Firmware to 4.56 or later (TS5010/3010/3020) Update Firmware to 5.12 or later (TS6000) | |
Not Affected | High | CVE-2016-10010 | 7/12/2023 | None | ||
Not Affected | Medium | CVE-2018-16860 | 3/10/2023 | None | ||
Samba Active Directory DoS in ldb_qsort and dns_name_compare | Not Affected | Medium | CVE-2019-14861 | 7/12/2023 | None | |
ACL Inheritance in Samba AD DC | Not Affected | Medium | CVE-2019-14902 | 3/10/2023 | None | |
Samba Active Directory CPU and use-after-free DoS vulnerabilities | Not Affected | High | CVE-2020-10730 | 7/12/2023 | None | |
Ongoing | Medium | CVE-2020-14318 | 3/10/2023 | TS7010 | ||
Ongoing | Medium | CVE-2021-31439 | 8/25/2022 | TS6000 | Disable AFP to workaround. | |
Samba information disclosure with SMB1 | Not Affected | High | CVE-2021-44141 | 3/10/2023 | None | |
Samba Active Directory elevation of privilege vulnerabilities
| Not Affected | Critical | CVE-2022-37966 | 7/12/2023 | None | |
Arbitrary code execution on affected installations of Netatalk | Ongoing | Critical | CVE-2022-43634 | 7/12/2023 | TS7010 | Disable AFP to workaround. |
Samba Active Directory Bitlocker Keys | Not Affected | Medium | CVE-2023-0164 | 7/12/2023 | None | |
Samba server heap buffer overflow | Ongoing | Medium | CVE-2022-3437 | 10/10/2023 | TS7010 | |
SSH server file creation restriction bypass vulnerability. | Ongoing | Medium | CVE-2017-15906 | 10/10/23 | TS6000 | |
OpenSSH requesting transmission of an entire buffer | Ongoing | High | CVE-2016-0777 | 10/10/23 | TS6000 | |
Samba 32-Bit Systems Buffer Overflow | Ongoing | High | CVE-2022-42898 | 10/10/23 | TS7010 | |
OpenSSH bypass timeout checks and XSECURITY restrictions | Ongoing | High | CVE-2015-5352 | 10/10/23 | TS6000 | |
OpenSSH security bypass in the kbdint_next_device() function | Ongoing | Medium | CVE-2015-5600 | 10/10/23 | TS6000 | |
OpenSSH before 8.5 has a double free in ssh-agent | Ongoing | High | CVE-2021-28041 | 10/10/23 | TS7010 | |
Ongoing | Medium | N/A | 01/22/2024 | TS7010 | ||
Not Affected | Critical | CVE-2023-38408 | 2/20/2024 | None | ||
Potential Man-In-The-Middle attack during Firmware updates may allow for arbitrary code execution | Ongoing | High | CVE-2023-51073 | LinkStation 210/220 |