Synology-SA-17:19 sudo
Publish Time: 2017-06-01 00:00:00 UTC+8
Last Updated: 2021-04-12 15:32:58 UTC+8
- Severity
- Low
- Status
- Resolved
Abstract
CVE-2017-1000367 allows local authenticated users with privileges to execute commands via sudo to overwrite arbitrary files and obtain full root privileges.
This vulnerability lowly impacts DSM because only the authenticated users in the sudoer list by default are able to switch to root
in DSM.
Severity
- Impact: Low
Affected
- Products
- DSM 6.1
- DSM 6.0
- Models
- All Synology models
Description
A vulnerability was revealed in ttyname.c in sudo versions 1.8.6p7 through 1.8.20 due to the incorrectly parsed tty information from the process status file, which allows local users configured in sudoers to overwrite arbitrary files via a crafted symlink and race condition.
Update Availability
To fix the security issue, please update DSM 6.2 to 6.2-22259 or above.
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000367
https://www.sudo.ws/alerts/linux_tty.html
http://www.openwall.com/lists/oss-security/2017/05/30/16