search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Synology DiskStation Manager arbitrary file modification

Vulnerability Note VU#615910

Original Release Date: 2014-01-07 | Last Revised: 2014-01-07

Overview

Synology DiskStation Manager versions 4.3-3776-3 and below contain a vulnerability that allows a remote unauthenticated user to append arbitrary data to an arbitrary file under root privileges.

Description

CWE-284: Improper Access Control - CVE-2013-6955

Synology DiskStation Manager versions 4.3-3776-3 and below allow a remote unauthenticated user to append arbitrary data to files on the system under root privileges. According to Synology:

Synology File Station in DSM employs a technique called "Slice Upload" to upload files when the file size is over 4GB [in the] Firefox browser. Since this feature is implemented in DSM4.0, all versions of DSM after DSM4.0 are subject to this vulnerability.

To exploit this vulnerability, an attacker needs to send a specially crafted HTTP POST request to /webman/imageSelector.cgi containing the header fields X-TYPE-NAME: SLICEUPLOAD and X-TMP-FILE with the valid path of the file to append malicious code or data.

Impact

A remote unauthenticated attacker may be able to execute arbitrary code on the system under root privileges.

Solution

Apply an Update

Synology has advised users to upgrade to the latest version of DiskStation Manager (DSM).

For Synology products released in 2008 (x08 series), DSM4.0-2259 has been released to address this issue.
For Synology products released after 2009, DSM4.2-3243 has been released to address this issue for DSM4.2 users. DSM4.3-3810 Update 1 has been released to address this issue for DSM4.3 users.

Vendor Information

615910
 
Affected   Unknown   Unaffected

Synology

Notified:  November 08, 2013 Updated:  December 19, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.8 E:POC/RL:OF/RC:C
Environmental 2 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Markus Wulftange for reporting this vulnerability.

This document was written by Todd Lewellen.

Other Information

CVE IDs: CVE-2013-6955
Date Public: 2014-01-07
Date First Published: 2014-01-07
Date Last Updated: 2014-01-07 18:07 UTC
Document Revision: 14

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.