SB2021042002 - Multiple vulnerabilities in Synology DiskStation Manager (DSM)

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Cleartext transmission of sensitive information (CVE-ID: CVE-2021-26560)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to software uses insecure communication channel to transmit sensitive information within the synoagentregisterd server finder functionality. A remote attacker can perform a man-in-the-middle attack and gain access to sensitive data.

2) Stack-based buffer overflow (CVE-ID: CVE-2021-26561)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing "syno_finder_site" HTTP header. A remote unauthenticated attacker can perform a man-in-the-middle attack, trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) Out-of-bounds write (CVE-ID: CVE-2021-26562)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing "syno_finder_site" HTTP header. A remote attacker can perform a man-in-the-middle attack, trigger out-of-bounds write and execute arbitrary code on the target system.

4) Improper access control (CVE-ID: CVE-2021-26563)

The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in AppArmor’s synosearchagent profile. A local administrator can use a specially crafted kernel module to bypass the AppArmor’s restrictions.

5) Cleartext transmission of sensitive information (CVE-ID: CVE-2021-26564)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to software uses insecure communication channel to transmit sensitive information in synorelayd. A remote attacker can perform a man-in-the-middle attack to spoof servers via an HTTP session.

6) Cleartext transmission of sensitive information (CVE-ID: CVE-2021-26565)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to software uses insecure communication channel to transmit sensitive information in synorelayd. A remote attacker can perform a man-in-the-middle attack to obtain sensitive information via an HTTP session.

7) Command Injection (CVE-ID: CVE-2021-26566)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to insertion of sensitive information into sent data issue in synorelayd. A remote attacker can perform a man-in-the-middle attack to execute arbitrary commands via inbound QuickConnect traffic.

Remediation

Install update from vendor's website.

References

• https://www.synology.com/security/advisory/Synology_SA_20_26
• https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159
• https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1158
• https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160