What are you looking for ?
Mobile Search Icon
Mobile Menu Icon
Infinidat
Articles_top

Synology Security Advisory 22:17 Concerning DiskStation Manager NAS OS

Multiple vulnerabilities allow remote attackers to obtain sensitive information or execute arbitrary commands via susceptible version of DMS.

This is a Press Release edited by StorageNewsletter.com on October 31, 2022 at 2:01 pm

Synology, Inc. had published a security advisory concerning multiple vulnerabilities on versions of DiskStation Manager NAS OS.

Publish time: 2022-10-20 13:53:15 UTC+8
Last updated: 2022-10-20 13:57:10 UTC+8
Severity: Critical
Status: Resolved

Abstract
Multiple vulnerabilities allow remote attackers to obtain sensitive information or execute arbitrary commands via a susceptible version of DiskStation Manager (DSM).

Affected products

Synology Dsm Sa Tab1Mitigation : None

Detail:

  • CVE-2022-27624

    • Severity: Critical

    • CVSS3 base score: 10.0

    • CVSS3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

    • A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the packet decryption functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.

  • CVE-2022-27625

    • Severity: Critical

    • CVSS3 base score: 10.0

    • CVSS3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

    • A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the message processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.

  • CVE-2022-27626

    • Severity: Critical

    • CVSS3 base score: 10.0

    • CVSS3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

    • A vulnerability regarding concurrent execution using shared resource with improper synchronization (‘Race Condition’) is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.

  • CVE-2022-3576

    • Severity: Moderate

    • CVSS3 base score: 5.3

    • CVSS3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

    • A vulnerability regarding out-of-bounds read is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to obtain sensitive information via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.

Acknowledgement
This issue was discovered internally by Synology PSIRT.

Revision

Synology Dsm Sa Tab2

 

 

 

Articles_bottom
AIC
ATTO
OPEN-E