Synology-SA-17:25 FFmpeg

Publish Time: 2017-07-06 00:00:00 UTC+8

Last Updated: 2017-09-19 13:46:24 UTC+8

Severity: Moderate

Status: Resolved

Abstract

CVE-2017-9993 allows remote authenticated users to read arbitrary local files via crafted video files.

Severity

Impact: Moderate
CVSS3 Base Score: 7.5
CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected

Products
- DSM 6.1
- DSM 6.0
- Video Station before 2.3.2-1454
Models
- All Synology models

Description

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.

Mitigation

None

Update Availability

To fix the security issue, please update DSM 6.1 to 6.1.3-15152 or above, update DSM 6.0 to 6.0.3-8754-4 or above and update Video Station to 2.3.3-1455 or above.

Reference

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9993
https://hackerone.com/reports/242831