Synology-SA-24:04 Surveillance Station

Publish Time: 2024-03-28 14:07:31 UTC+8

Last Updated: 2024-04-01 10:17:08 UTC+8

Severity
Important
Status
Resolved

Abstract

Multiple vulnerabilities allow remote authenticated users to access intranet resources, bypass security constraints, conduct denial-of-service attacks, inject SQL commands, obtain privileges without consent, obtain sensitive information, and write specific files via a susceptible version of Surveillance Station.

Affected Products

Product Severity Fixed Release Availability
Surveillance Station for DSM 7.2 Important Upgrade to 9.2.0-11289 or above.
Surveillance Station for DSM 7.1 Important Upgrade to 9.2.0-11289 or above.
Surveillance Station for DSM 6.2 Important Upgrade to 9.2.0-9289 or above.

Mitigation

None

Detail

  • CVE-2024-29228

    • Severity: Important
    • CVSS3 Base Score: 7.7
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
    • Missing authorization vulnerability in GetStmUrlPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors.

  • CVE-2024-29229

    • Severity: Important
    • CVSS3 Base Score: 7.7
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
    • Missing authorization vulnerability in GetLiveViewPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors.

  • CVE-2024-29241

    • Severity: Important
    • CVSS3 Base Score: 9.9
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
    • Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to bypass security constraints via unspecified vectors.

  • CVE-2024-29227

    • Severity: Moderate
    • CVSS3 Base Score: 5.4
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
    • Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Layout.LayoutSave webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to inject SQL commands via unspecified vectors.

  • CVE-2024-29230

    • Severity: Moderate
    • CVSS3 Base Score: 5.4
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
    • Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in SnapShot.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to inject SQL commands via unspecified vectors.

  • CVE-2024-29231

    • Severity: Moderate
    • CVSS3 Base Score: 5.4
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
    • Improper validation of array index vulnerability in UserPrivilege.Enum webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to bypass security constraints via unspecified vectors.

  • CVE-2024-29232

    • Severity: Moderate
    • CVSS3 Base Score: 5.4
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
    • Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Alert.Enum webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors.

  • CVE-2024-29233

    • Severity: Moderate
    • CVSS3 Base Score: 5.4
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
    • Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Emap.Delete webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to inject SQL commands via unspecified vectors.

  • CVE-2024-29234

    • Severity: Moderate
    • CVSS3 Base Score: 5.4
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
    • Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Group.Save webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors.

  • CVE-2024-29235

    • Severity: Moderate
    • CVSS3 Base Score: 5.4
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
    • Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in IOModule.EnumLog webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors.

  • CVE-2024-29236

    • Severity: Moderate
    • CVSS3 Base Score: 5.4
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
    • Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in AudioPattern.Delete webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to inject SQL commands via unspecified vectors.

  • CVE-2024-29237

    • Severity: Moderate
    • CVSS3 Base Score: 5.4
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
    • Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in ActionRule.Delete webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors.

  • CVE-2024-29238

    • Severity: Moderate
    • CVSS3 Base Score: 5.4
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
    • Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to inject SQL commands via unspecified vectors.

  • CVE-2024-29239

    • Severity: Moderate
    • CVSS3 Base Score: 5.4
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
    • Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Recording.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors.

  • CVE-2024-29240

    • Severity: Moderate
    • CVSS3 Base Score: 4.3
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
    • Missing authorization vulnerability in LayoutSave webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to conduct denial-of-service attacks via unspecified vectors.

Acknowledgement

  • TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)

  • Tim Coen (https://security-consulting.icu)

  • Zhao Runzi (赵润梓)

Reference

Revision

Revision Date Description
1 2024-03-28 Initial public release.
2 2024-03-28 Disclosed vulnerability details.