Synology Security Advisory SA-23:02 Sudo
Vulnerability allows local users to conduct privilege escalation attacks via susceptible version of DiskStation Manager and Synology Router Manager.
This is a Press Release edited by StorageNewsletter.com on April 5, 2023 at 2:01 pmSynology, Inc. had published a security advisory concerning Sudo including in DSM and SRM.
Publish time: 2023-03-30 16:17:07 UTC+8
Last updated: 2023-03-30 16:17:07 UTC+8
Severity: Low
Status: Ongoing
Abstract
A vulnerability allows local users to conduct privilege escalation attacks via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM).
Affected products
Mitigation : None
Detail :
- CVE-2023-22809
- Severity: Low
- CVSS3 base score: 6.7
- CVSS3 vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a “–” argument that defeats a protection mechanism, e.g., an EDITOR=’vim — /path/to/extra/file’ value.
Reference : CVE-2023-22809
Revision :
Share this news :
Subscribe to our free daily newsletter
