Important Information Regarding MediaWiki Vulnerability (CVE-2017-0372)

Publish Time: 2017-05-03 00:00:00 UTC+8

Last Updated: 2017-05-03 12:00:00 UTC+8

Severity
Important
Status
Resolved

Abstract

CVE-2017-0372 allows remote attackers capable of editing wiki pages with syntax highlighting to perform arbitrary code execution and take control of servers hosting vulnerable MediaWiki services.

Severity

Important

Affected

  • Products
    • MediaWiki version 1.27.1-0119 and before
  • Models
    • All Synology models

Description

This vulnerability in MediaWiki through 1.27.x before 1.27.3, 1.28.x before 1.28.2 and earlier versions allows remote attackers to execute arbitrary commands via a parameter injection when the SyntaxHighlight extension is enabled.

Mitigation

Disable SyntaxHighlight extension:

  1. Go to Control Panel > Applications > Terminal & SNMP and tick Enable SSH service
  2. Log in to DSM via SSH as “admin” and execute the following command:
    sudo /usr/bin/sed -i "/wfLoadExtension( 'SyntaxHighlight_GeSHi' );/d" /var/services/web/MediaWiki/LocalSettings.php

Update Availability

To fix the security issues, please go to DSM > Package Center and install the latest version of MediaWiki to protect your Synology NAS from malicious attacks.

References
https://www.securify.nl/advisory/SFY20170201/syntaxhighlight_mediawiki_extension_allows_injection_of_arbitrary_pygments_options.html
https://phabricator.wikimedia.org/T158689
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html