Synology-SA-21:02 Sudo

Publish Time: 2021-02-22 10:44:30 UTC+8

Last Updated: 2021-09-01 15:40:37 UTC+8

Severity
Low
Status
Accepted

Abstract

A vulnerability allows local users to conduct privilege escalation attacks via a susceptible version of Synology DiskStation Manager (DSM).

Affected Products

Product Severity Fixed Release Availability
DSM 6.2 Low Upgrade to 6.2.4-25554 or above.
DSM UC Low Upgrade to 3.1-23033 or above.
SkyNAS Low Pending
VS960HD Low Ongoing
SRM 1.2 Not affected N/A

Mitigation

None

Detail

  • CVE-2021-3156
    • Severity: Low
    • CVSS3 Base Score: 6.7
    • CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
    • Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.

Reference

Revision

Revision Date Description
1 2021-02-22 Initial public release.
2 2021-02-23 Update for DSM 6.2 is now available in Affected Products.
3 2021-06-02 Updated severity for DSM 6.2, DSM UC, SkyNAS and VS960HD in Affected Products.
4 2021-06-01 Update for DSM UC is now available in Affected Products.