Synology-SA-21:02 Sudo

Publish Time: 2021-02-22 03:44:30 UTC+8

Last Updated: 2021-02-22 03:44:30 UTC+8

Severity
Important
Status
Ongoing

Abstract

A vulnerability allows local users to conduct privilege escalation attacks via a susceptible version of Synology DiskStation Manager (DSM).

Affected Products

Product Severity Fixed Release Availability
DSM 6.2 Important Ongoing
DSMUC 3.0 Important Pending
SkyNAS Important Ongoing
VS960HD Important Will not fix
SRM 1.2 Not affected N/A

Mitigation

None

Detail

  • CVE-2021-3156
    • Severity: Important
    • CVSS3 Base Score: 7.8
    • CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
    • Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.

Reference

Revision

Revision Date Description
1 2021-02-22 Initial public release.