What are you looking for ?
Advertise with us
RAIDON

Synology: 4 Security Advisories Concerning NAS App

Storage Analyzer, Note Station Client, SSO Server, and USB Copy app for DMS NAS OS

Synology, Inc. had published 4 security advisories concerning its NAS OS applications.

SA-22:11 Storage Analyzer
Publish time: 2022-08-03 10:21:30 UTC+8
Last updated: 2022-08-03 10:21:30 UTC+8
Severity : Moderate
Status : Resolved

Abstract
A vulnerability allows remote authenticated users to delete arbitrary files via a susceptible version of Storage Analyzer.

Affected products

Product

Severity

Fixed release availability

Storage Analyzer for DSM 7.1

Moderate

Upgrade to 2.1.0-0390 or above

Storage Analyzer for DSM 7.0

Moderate

Upgrade to 2.1.0-0390 or above

Storage Analyzer for DSM 6.2

Moderate

Upgrade to 2.0.1-0214 or above

Mitigation : None

Detail

  • CVE-2022-27618

    • Severity: moderate

    • CVSS3 Base Score: 6.8

    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

    • Improper limitation of a pathname to a restricted directory (‘Path Traversal’) vulnerability in webapi component in Synology Storage Analyzer before 2.1.0-0390 allows remote authenticated users to delete arbitrary files via unspecified vectors.

Acknowledgement
Qian Chen (@cq674350529) from Codesafe Team of Legendsec at Qi’anxin Group

Revision

Revision

Date

Description

1

2022-08-03

Initial public release

 

SA-22:12 Synology Note Station Client
Publish time: 2022-08-03 10:44:45 UTC+8
Last updated: 2022-08-03 10:44:45 UTC+8
Severity : Moderate
Status : Resolved

Abstract
A vulnerability allows man-in-the-middle attackers to obtain sensitive information via a susceptible version of Synology Note Station Client.

Affected Products

Product

Severity

Fixed release availability

Synology Note Station Client

Moderate

Upgrade to 2.2.2-609 or above

Mitigation : None

Detail

  • CVE-2022-27619

    • Severity: Moderate

    • CVSS3 Base Score: 6.8

    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

    • Cleartext transmission of sensitive information vulnerability in authentication management in Synology Note Station Client before 2.2.2-609 allows man-in-the-middle attackers to obtain sensitive information via unspecified vectors.

Acknowledgement
Qian Chen (@cq674350529) from Codesafe Team of Legendsec at Qi’anxin Group

Revision

Revision

Date

Description

1

2022-08-03

Initial public release

 

SA-22:13 SSO Server
Publish time: 2022-08-03 11:15:26 UTC+8
Last updated: 2022-08-03 11:15:26 UTC+8
Severity : Moderate
Status : Ongoing

Abstract
A vulnerability allows remote authenticated users to read arbitrary files via a susceptible version of SSO Server.

Affected products

Product

Severity

Fixed release availability

SSO Server for DSM 7.1

Moderate

Upgrade to 2.2.3-0331 or above

SSO Server for DSM 7.0

Moderate

Upgrade to 2.2.3-0331 or above

SSO Server for DSM 6.2

Moderate

Ongoing

Mitigation : None

Detail

  • CVE-2022-27620

    • Severity: Moderate

    • CVSS3 Base Score: 6.8

    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

    • Improper limitation of a pathname to a restricted directory (‘Path Traversal’) vulnerability in webapi component in Synology SSO Server before 2.2.3-0331 allows remote authenticated users to read arbitrary files via unspecified vectors.

Acknowledgement
Qian Chen (@cq674350529) from Codesafe Team of Legendsec at Qi’anxin Group

Revision

Revision

Date

Description

1

2022-08-03

Initial public release

 

SA-22:14 USB Copy
Publish time: 2022-08-03 11:21:59 UTC+8
Last updated: 2022-08-03 14:13:44 UTC+8
Severity : Moderate
Status : Resolved

Abstract
A vulnerability allows remote authenticated users to read or write arbitrary files via a susceptible version of USB Copy.

Affected products

Product

Severity

Fixed release availability

USB Copy for DSM 7.1

Moderate

Upgrade to 2.2.0-1086 or above

USB Copy for DSM 7.0

Moderate

Upgrade to 2.2.0-1086 or above

USB Copy for DSM 6.2

Moderate

Upgrade to 2.1.1-0081 or above

Mitigation : None

Detail

  • CVE-2022-27621

    • Severity: Moderate

    • CVSS3 Base Score: 5.5

    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

    • Improper limitation of a pathname to a restricted directory (‘Path Traversal’) vulnerability in webapi component in Synology USB Copy before 2.2.0-1086 allows remote authenticated users to read or write arbitrary files via unspecified vectors.

Acknowledgement
Qian Chen (@cq674350529) from Codesafe Team of Legendsec at Qi’anxin Group

Revision

Revision

Date

Description

1

2022-08-03

Initial public release

2

2022-08-03

Disclosed vulnerability details

Articles_bottom
ExaGrid
AIC
ATTOtarget="_blank"
OPEN-E