Synology-SA-18:62 Netatalk

Publish Time: 2018-12-21 17:58:09 UTC+8

Last Updated: 2019-01-04 17:50:23 UTC+8

Severity
Critical
Status
Resolved

Abstract

A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Synology Diskstation Manager (DSM) and Synology Router Manager (SRM).

Affected Products

Product Severity Fixed Release Availability
DSM 6.2 Critical Upgrade to 6.2.1-23824-4 or above.
DSM 6.1 Critical Upgrade to 6.1.7-15284-3 or above.
DSM 5.2 Critical Upgrade to 5.2-5967-9 or above.
SkyNAS[1] Critical Please manually download and install version 6.1.7-15284-3.
VS960HD Critical Upgrade to 2.3.3-1646 or above.
SRM 1.2 Important Upgrade to 1.2-7742-5 or above.

[1] Perform Manual DSM Update

Mitigation

If you need immediate assistance, please contact Synology technical support via https://account.synology.com/support.

Detail

  • CVE-2018-1160
    • Severity: Critical
    • CVSS3 Base Score: 9.8
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.

Reference

CVE-2018-1160

Revision

Revision Date Description
1 2018-12-21 Initial public release.
2 2018-12-21 Update for DSM 6.2 is now available in Affected Products.
3 2018-12-26 Update for VS960HD is now available in Affected Products.
4 2018-12-28 Update for SRM 1.2 is now available in Affected Products.
5 2019-01-02 Update for DSM 6.1 and DSM 5.2 are now available in Affected Products.
6 2019-01-04 Update for SkyNAS is now available in Affected Products.