Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-26569: Synology_SA_20_26 | Synology Inc.

Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.

CVE
#vulnerability#web#cisco#buffer_overflow#auth#zero_day

Abstract

Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of DiskStation Manager (DSM).

Affected Products

Product

Severity

Fixed Release Availability

DSM 6.2

Important

Upgrade to 6.2.3-25426-3 or above.

DSMUC 3.0

Low

Upgrade to 3.1-23033 or above.

VS Firmware 2.3

Moderate

Ongoing

Mitigation

None

Detail

  • CVE-2021-26560

    • Severity: Critical
    • CVSS3 Base Score: 9.0
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    • Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
  • CVE-2021-26561

    • Severity: Critical
    • CVSS3 Base Score: 9.0
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    • Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
  • CVE-2021-26562

    • Severity: Critical
    • CVSS3 Base Score: 9.0
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    • Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
  • CVE-2021-26569

    • Severity: Critical
    • CVSS3 Base Score: 9.8
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
  • CVE-2021-27646

    • Severity: Critical
    • CVSS3 Base Score: 9.8
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Use After Free vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
  • CVE-2021-27647

    • Severity: Critical
    • CVSS3 Base Score: 9.8
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Out-of-bounds Read vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
  • CVE-2021-27649

    • Severity: Critical
    • CVSS3 Base Score: 9.8
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
  • CVE-2021-31439

    • Severity: Critical
    • CVSS3 Base Score: 8.8
    • CVSS3 Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authentication is not required to exploit this vulnerablity. The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-12326.
  • CVE-2022-22687

    • Severity: Critical
    • CVSS3 Base Score: 9.8
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Buffer copy without checking size of input (‘Classic Buffer Overflow’) vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
  • CVE-2021-26564

    • Severity: Important
    • CVSS3 Base Score: 8.3
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    • Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
  • CVE-2021-26565

    • Severity: Important
    • CVSS3 Base Score: 8.3
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    • Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session.
  • CVE-2021-26566

    • Severity: Important
    • CVSS3 Base Score: 8.3
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    • Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic.
  • CVE-2021-26567

    • Severity: Important
    • CVSS3 Base Score: 8.8
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    • Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options.
  • CVE-2021-29083

    • Severity: Important
    • CVSS3 Base Score: 7.2
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    • Improper neutralization of special elements used in an OS command in SYNO.Core.Network.PPPoE in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote authenticated users to execute arbitrary code via realname parameter.
  • CVE-2021-29084

    • Severity: Important
    • CVSS3 Base Score: 7.5
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    • Improper neutralization of special elements in output used by a downstream component (‘Injection’) vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
  • CVE-2021-29085

    • Severity: Important
    • CVSS3 Base Score: 8.6
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    • Improper neutralization of special elements in output used by a downstream component (‘Injection’) vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
  • CVE-2021-29087

    • Severity: Important
    • CVSS3 Base Score: 7.5
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
    • Improper limitation of a pathname to a restricted directory (‘Path Traversal’) vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors.
  • CVE-2021-29086

    • Severity: Moderate
    • CVSS3 Base Score: 5.3
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    • Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.

Acknowledgement

  • Justin Taft (@oneupsecurity) working with Trend Micro’s Zero Day Initiative

  • Claudio Bozzato of Cisco Talos

  • DEVCORE working with Trend Micro’s Zero Day Initiative

  • STARLabs working with Trend Micro’s Zero Day Initiative

  • ddaa of TrapaSecurity

  • Chanyoung So

Reference

  • CVE-2021-26569
  • CVE-2021-27646
  • CVE-2021-27647
  • CVE-2021-27649
  • CVE-2021-26560
  • CVE-2021-26561
  • CVE-2021-26562
  • CVE-2021-26564
  • CVE-2021-26565
  • CVE-2021-26566
  • CVE-2021-26567
  • CVE-2021-29083
  • CVE-2021-29084
  • CVE-2021-29085
  • CVE-2021-29087
  • CVE-2021-31439
  • CVE-2021-29086
  • CVE-2022-22687

Revision

Revision

Date

Description

1

2020-11-26

Initial public release.

2

2021-02-02

Updated Acknowledgement for researchers.

3

2021-02-03

Updated Acknowledgement for researchers.

4

2021-04-09

Disclosed vulnerability details.

5

2021-06-01

Update for DSM UC is now available in Affected Products.

6

2021-06-24

Disclosed vulnerability details.

7

2022-05-18

Disclosed vulnerability details.

Related news

Gentoo Linux Security Advisory 202311-02

Gentoo Linux Security Advisory 202311-2 - Multiple vulnerabilities have been discovered in Netatalk, which could lead to remote code execution Versions greater than or equal to 3.1.18 are affected.

Debian Security Advisory 5503-1

Debian Linux Security Advisory 5503-1 - Multiple security issues were discovered in Netatalk, an implementation of the Apple Filing Protocol (AFP) for offering file service (mainly) to macOS clients, which may result in the execution of arbitrary code or information disclosure.

Ubuntu Security Notice USN-6146-1

Ubuntu Security Notice 6146-1 - It was discovered that Netatalk did not properly validate the length of user-supplied data in the DSI structures. A remote attacker could possibly use this issue to execute arbitrary code with the privileges of the user invoking the programs. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that Netatalk did not properly validate the length of user-supplied data in the ad_addcomment function. A remote attacker could possibly use this issue to execute arbitrary code with root privileges. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.

CVE-2022-23122: Netatalk Release Notes

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the setfilparams function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15837.

CVE-2021-31439: ZDI-21-492

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authentication is not required to exploit this vulnerablity. The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-12326.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907