Cybersecurity specialists reported the finding of at least seven critical vulnerabilities in DiskStation Manager (DSM), the intuitive web-based operating system designed for Synology Network Attached Storage (NAS) products. According to the report, successful exploitation of these vulnerabilities would allow threat actors to extract sensitive information and even execute arbitrary code on compromised systems, among other risk scenarios.
Below are brief descriptions of reported flaws, in addition to their tracking keys and scores according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-26560: Affected software uses an unsecured communication channel to transmit sensitive information within the browser functionality on synoagent. Remote threat actors can perform a Man-in-The-Middle (MiTM) attack to extract sensitive data.
The flaw received a CVSS score of 5.9/10.
CVE-2021-26561: A boundary error processing the HTTP header “syno_finder_site” would allow unauthenticated malicious hackers to deploy MiTM attacks to trigger a stack-based buffer overflow.
The flaw received a CVSS score of 7.8/10 and its successful execution would allow arbitrary code to run on the target system.
CVE-2021-26562: A boundary error processing the HTTP header “syno_finder_site” would allow remote hackers to perform MiTM attacks, activating off-boundary writing to trigger arbitrary code execution on the target system.
The vulnerability received a score of 7.1/10 and its exploitation would allow remote threat actors to compromise vulnerable systems.
CVE-2021-26563: Improper implementation of access restrictions in the AppArmor Synthesis Search Agent profile would allow local administrators to use a specially designed kernel module to bypass AppArmor restrictions.
The flaw received a score of 7.1/10 its exploitation would allow a local user to gain unauthorized access to restricted functions under normal conditions.
CVE-2021-26564: Affected software uses an unsafe communication channel to transmit sensitive information on synorelayd. Remote threat actors can perform MiTM attacks to falsify servers over an HTTP session.
The flaw received a CVSS score of 5.3/10, cybersecurity experts point out.
CVE-2021-26565: The software uses an insecure communication channel to transmit sensitive information on synorelayd. Hackers can perform MiTM attacks to obtain sensitive information using an HTTP session.
The vulnerability received a CVSS score of 5.3/10 and its exploitation would allow remote threat actors to access sensitive information.
CVE-2021-26566: Inserting sensitive information into data sent in synorelayd would allow remote threat actors to perform MiTM attacks to execute arbitrary commands through QuickConnect.
The flaw received a CVSS score of 7.1/10 and its exploitation would allow the target system to compromise.
According to Synology’s report, these flaws reside in the following versions of DiskStation Manager: 6.2.3 25426-2.
Although most reported vulnerabilities can be exploited by unauthenticated remote threat actors, cybersecurity experts have not detected attempts at active exploitation or the existence of a malware variant linked to the attack.
The flaws have already been fixed, so Synology recommends users of affected deployments to install the updates as soon as possible. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.