Headline
CVE-2021-31439: ZDI-21-492
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authentication is not required to exploit this vulnerablity. The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-12326.
April 29th, 2021
Synology DiskStation Manager Netatalk dsi_doff Heap-based Buffer Overflow Remote Code Execution Vulnerability****ZDI-21-492
ZDI-CAN-12326
CVE ID
CVE-2021-31439
CVSS SCORE
8.8, (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
AFFECTED VENDORS
Synology
AFFECTED PRODUCTS
DiskStation Manager
VULNERABILITY DETAILS
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation DS418play. Authentication is not required to exploit this vulnerablity.
The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.
ADDITIONAL DETAILS
Synology has issued an update to correct this vulnerability. More details can be found at:
https://www.synology.com/zh-hk/security/advisory/Synology_SA_20_26
DISCLOSURE TIMELINE
- 2020-11-07 - Vulnerability reported to vendor
- 2021-04-29 - Coordinated public release of advisory
- 2021-05-24 - Advisory Updated
CREDIT
Angelboy(@scwuaptx) from DEVCORE Security Team
BACK TO ADVISORIES
Related news
Gentoo Linux Security Advisory 202311-2 - Multiple vulnerabilities have been discovered in Netatalk, which could lead to remote code execution Versions greater than or equal to 3.1.18 are affected.
Debian Linux Security Advisory 5503-1 - Multiple security issues were discovered in Netatalk, an implementation of the Apple Filing Protocol (AFP) for offering file service (mainly) to macOS clients, which may result in the execution of arbitrary code or information disclosure.
Ubuntu Security Notice 6146-1 - It was discovered that Netatalk did not properly validate the length of user-supplied data in the DSI structures. A remote attacker could possibly use this issue to execute arbitrary code with the privileges of the user invoking the programs. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that Netatalk did not properly validate the length of user-supplied data in the ad_addcomment function. A remote attacker could possibly use this issue to execute arbitrary code with root privileges. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the setfilparams function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15837.
Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.