Synology-SA-23:11 Synology Camera
Publish Time: UTC+8
Last Updated: UTC+8
- Severity
- Critical
- Status
- Resolved
Abstract
A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Synology Camera BC500 Firmware and Synology Camera TC500 Firmware.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| BC500 | Critical | Upgrade to 1.0.5-0185 or above. |
| TC500 | Critical | Upgrade to 1.0.5-0185 or above. |
Mitigation
Setting up firewall rules to allow only trusted clients to connect can be used as a temporary mitigation.
Detail
- CVE-2023-5746
- Severity: Critical
- CVSS3 Base Score: 9.8
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- A vulnerability regarding use of externally-controlled format string is found in the cgi component. This allows remote attackers to execute arbitrary code via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.5-0185 may be affected: BC500 and TC500.
Acknowledgement
chumen77(GAO JUYANG) from WeBin Lab of DbappSecurity Co.,Ltd.
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2023-08-17 | Initial public release. |
| 2 | 2023-10-24 | Disclosed vulnerability details. |