Synology-SA-24:20 DSM (PWN2OWN 2024)

Publish Time: 2024-11-05 15:15:05 UTC+8

Last Updated: 2024-12-05 17:54:12 UTC+8

Severity
Critical
Status
Resolved

Abstract

The vulnerability reported in ZDI-CAN-25403 allows remote attackers to execute arbitrary code.

The vulnerability reported in ZDI-CAN-25613 allows remote attackers to read specific files.

The vulnerability reported in ZDI-CAN-25617 allows adjacent man-in-the-middle attacker to write specific files.

Updates of DSM 7.2.1, DSM 7.1 and DSMUC 3.1 will be published within 30 days.

Affected Products

Product Severity Fixed Release Availability
DSM 7.2.2 Critical Upgrade to 7.2.2-72806-1 or above.
DSM 7.2.1 Critical Upgrade to 7.2.1-69057-6 or above.
DSM 7.1 Critical Upgrade to 7.1.1-42962-7 or above.
DSM 6.2 Critical Upgrade to 6.2.4-25556-8 or above.
DSMUC 3.1 Critical Upgrade to 3.1.4-23079 or above.

Mitigation

None

Detail

Reserved

Revision

Revision Date Description
1 2024-11-05 Initial public release.
2 2024-11-12 Update for DSM 7.2.1 is now available in Affected Products.
3 2024-11-14 Update for DMSUC 3.1 is now available in Affected Products.
4 2024-11-26 Update for DSM 7.1 is now available in Affected Products.
5 2024-12-05 Added DSM 6.2 to Affected Products.
6 2024-12-05 Update for DSM 6.2 is now available in Affected Products.