Synology-SA-20:26 DSM

Publish Time: 2020-11-26 11:52:20 UTC+8

Last Updated: 2022-05-18 09:59:54 UTC+8

Severity
Critical
Status
Accepted

Abstract

Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of DiskStation Manager (DSM).

Affected Products

Product Severity Fixed Release Availability
DSM 6.2 Important Upgrade to 6.2.3-25426-3 or above.
DSMUC 3.0 Low Upgrade to 3.1-23033 or above.
VS Firmware 2.3 Moderate Ongoing

Mitigation

None

Detail

  • CVE-2021-26560

    • Severity: Critical
    • CVSS3 Base Score: 9.0
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    • Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
  • CVE-2021-26561

    • Severity: Critical
    • CVSS3 Base Score: 9.0
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    • Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
  • CVE-2021-26562

    • Severity: Critical
    • CVSS3 Base Score: 9.0
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    • Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
  • CVE-2021-26569

    • Severity: Critical
    • CVSS3 Base Score: 9.8
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
  • CVE-2021-27646

    • Severity: Critical
    • CVSS3 Base Score: 9.8
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Use After Free vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
  • CVE-2021-27647

    • Severity: Critical
    • CVSS3 Base Score: 9.8
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Out-of-bounds Read vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
  • CVE-2021-27649

    • Severity: Critical
    • CVSS3 Base Score: 9.8
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
  • CVE-2021-31439

    • Severity: Critical
    • CVSS3 Base Score: 8.8
    • CVSS3 Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authentication is not required to exploit this vulnerablity. The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-12326.
  • CVE-2022-22687

    • Severity: Critical
    • CVSS3 Base Score: 9.8
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
  • CVE-2021-26564

    • Severity: Important
    • CVSS3 Base Score: 8.3
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    • Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
  • CVE-2021-26565

    • Severity: Important
    • CVSS3 Base Score: 8.3
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    • Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session.
  • CVE-2021-26566

    • Severity: Important
    • CVSS3 Base Score: 8.3
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    • Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic.
  • CVE-2021-26567

    • Severity: Important
    • CVSS3 Base Score: 8.8
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    • Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options.
  • CVE-2021-29083

    • Severity: Important
    • CVSS3 Base Score: 7.2
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    • Improper neutralization of special elements used in an OS command in SYNO.Core.Network.PPPoE in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote authenticated users to execute arbitrary code via realname parameter.
  • CVE-2021-29084

    • Severity: Important
    • CVSS3 Base Score: 7.5
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    • Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
  • CVE-2021-29085

    • Severity: Important
    • CVSS3 Base Score: 8.6
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    • Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
  • CVE-2021-29087

    • Severity: Important
    • CVSS3 Base Score: 7.5
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
    • Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors.
  • CVE-2021-29086

    • Severity: Moderate
    • CVSS3 Base Score: 5.3
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    • Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.

Acknowledgement

  • Justin Taft (@oneupsecurity) working with Trend Micro’s Zero Day Initiative

  • Claudio Bozzato of Cisco Talos

  • DEVCORE working with Trend Micro’s Zero Day Initiative

  • STARLabs working with Trend Micro’s Zero Day Initiative

  • ddaa of TrapaSecurity

  • Chanyoung So

Reference

Revision

Revision Date Description
1 2020-11-26 Initial public release.
2 2021-02-02 Updated Acknowledgement for researchers.
3 2021-02-03 Updated Acknowledgement for researchers.
4 2021-04-09 Disclosed vulnerability details.
5 2021-06-01 Update for DSM UC is now available in Affected Products.
6 2021-06-24 Disclosed vulnerability details.
7 2022-05-18 Disclosed vulnerability details.