Synology-SA-18:24 DSM

Publish Time: 2018-05-23 14:07:44 UTC+8

Last Updated: 2018-06-08 15:36:43 UTC+8

Severity
Important
Status
Resolved

Abstract

Multiple vulnerabilities allow remote authenticated users to execute arbitrary commands or to set new password without verification via a susceptible version of Synology DiskStation Manager (DSM).

Affected Products

Product Severity Fixed Release Availability
DSM 6.1 Important Upgrade to DSM 6.2-23739 or above.
DSM 6.0 Important Upgrade to DSM 6.2-23739 or above.
DSM 5.2 Important Upgrade to DSM 6.2-23739 or above.

Mitigation

None

Detail

  • CVE-2017-12075

    • Severity: Important
    • CVSS3 Base Score: 7.2
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    • Command injection vulnerability in EZ-Internet in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to execute arbitrary command via the username parameter.
  • CVE-2018-8916

    • Severity: Moderate
    • CVSS3 Base Score: 6.3
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
    • Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification.

Revision

Revision Date Description
1 2018-05-23 Initial public release.
2 2018-06-08 Disclosed vulnerability details.