CVE-2020-27655: Synology_SA_20_14 | Synology Inc.

Abstract

Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of Synology Router Manager (SRM).

Affected Products

Product

Severity

Fixed Release Availability

SRM 1.2

Critical

Upgrade to 1.2.4-8081 or above.

Mitigation

None

Detail

• CVE-2020-27649

  • Severity: Moderate
  • CVSS3 Base Score: 8.3
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Improper certificate validation vulnerability in OpenVPN client in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

• CVE-2020-27651

  • Severity: Moderate
  • CVSS3 Base Score: 5.8
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
  • Synology Router Manager (SRM) before 1.2.4-8081 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

• CVE-2020-27653

  • Severity: Moderate
  • CVSS3 Base Score: 8.3
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.

• CVE-2020-27654

  • Severity: Critical
  • CVSS3 Base Score: 9.8
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.

• CVE-2020-27655

  • Severity: Important
  • CVSS3 Base Score: 6.5
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
  • Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.

• CVE-2020-27657

  • Severity: Moderate
  • CVSS3 Base Score: 6.5
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
  • Cleartext transmission of sensitive information vulnerability in DDNS in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.

• CVE-2020-27658

  • Severity: Moderate
  • CVSS3 Base Score: 7.1
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
  • Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Revision

Revision

Date

Description

1

2020-06-18

Initial public release.

2

2020-10-29

Disclosed vulnerability details.