Vulnerability Note VU#615910

Synology DiskStation Manager arbitrary file modification

Original Release date: 07 Jan 2014 | Last revised: 07 Jan 2014

Overview

Synology DiskStation Manager versions 4.3-3776-3 and below contain a vulnerability that allows a remote unauthenticated user to append arbitrary data to an arbitrary file under root privileges.

Description

CWE-284: Improper Access Control - CVE-2013-6955

Synology DiskStation Manager versions 4.3-3776-3 and below allow a remote unauthenticated user to append arbitrary data to files on the system under root privileges. According to Synology:

    Synology File Station in DSM employs a technique called "Slice Upload" to upload files when the file size is over 4GB [in the] Firefox browser. Since this feature is implemented in DSM4.0, all versions of DSM after DSM4.0 are subject to this vulnerability.

To exploit this vulnerability, an attacker needs to send a specially crafted HTTP POST request to /webman/imageSelector.cgi containing the header fields X-TYPE-NAME: SLICEUPLOAD and X-TMP-FILE with the valid path of the file to append malicious code or data.

Impact

A remote unauthenticated attacker may be able to execute arbitrary code on the system under root privileges.

Solution

Apply an Update

Synology has advised users to upgrade to the latest version of DiskStation Manager (DSM).

For Synology products released in 2008 (x08 series), DSM4.0-2259 has been released to address this issue.
For Synology products released after 2009, DSM4.2-3243 has been released to address this issue for DSM4.2 users. DSM4.3-3810 Update 1 has been released to address this issue for DSM4.3 users.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
SynologyAffected08 Nov 201319 Dec 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.8 E:POC/RL:OF/RC:C
Environmental 2.0 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Markus Wulftange for reporting this vulnerability.

This document was written by Todd Lewellen.

Other Information

  • CVE IDs: CVE-2013-6955
  • Date Public: 07 Jan 2014
  • Date First Published: 07 Jan 2014
  • Date Last Updated: 07 Jan 2014
  • Document Revision: 14

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.