The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of DSM

computer vulnerability note CVE-2018-1000199

Linux kernel: privilege escalation via Ptrace Hardware Breakpoint Settings

Synthesis of the vulnerability

An attacker can bypass restrictions via Ptrace Hardware Breakpoint Settings of the Linux kernel, in order to escalate his privileges.
Impacted products: Debian, Android OS, QRadar SIEM, Linux, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 02/05/2018.
Identifiers: CERTFR-2018-AVI-226, CERTFR-2018-AVI-228, CERTFR-2018-AVI-256, CERTFR-2018-AVI-308, CERTFR-2018-AVI-319, CERTFR-2018-AVI-584, CVE-2018-1000199, DLA-1369-1, DSA-4187-1, DSA-4188-1, ibm10742755, openSUSE-SU-2018:1418-1, RHSA-2018:1318-01, RHSA-2018:1345-01, RHSA-2018:1347-01, RHSA-2018:1348-01, RHSA-2018:1354-01, RHSA-2018:1355-01, RHSA-2018:1374-01, SUSE-SU-2018:1366-1, SUSE-SU-2018:1368-1, SUSE-SU-2018:1374-1, SUSE-SU-2018:1375-1, SUSE-SU-2018:1376-1, SUSE-SU-2018:1816-1, SUSE-SU-2018:1846-1, SUSE-SU-2018:1855-1, Synology-SA-18:51, USN-3641-1, USN-3641-2, VIGILANCE-VUL-25999.

Description of the vulnerability

An attacker can bypass restrictions via Ptrace Hardware Breakpoint Settings of the Linux kernel, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2018-0737

OpenSSL: information disclosure via RSA Constant Time Key Generation

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via RSA Constant Time Key Generation of OpenSSL, in order to obtain sensitive information.
Impacted products: Debian, AIX, BladeCenter, IBM i, Juniper EX-Series, Juniper J-Series, Junos OS, SRX-Series, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Nodejs Core, OpenBSD, OpenSSL, openSUSE Leap, Oracle Communications, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Solaris, Tuxedo, Oracle Virtual Directory, VirtualBox, WebLogic, Palo Alto Firewall PA***, PAN-OS, Percona Server, XtraBackup, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Nessus, Ubuntu, X2GoClient.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 17/04/2018.
Identifiers: bulletinjul2018, CERTFR-2018-AVI-511, CERTFR-2018-AVI-607, cpuapr2019, cpujan2019, cpujul2019, cpuoct2018, CVE-2018-0737, DLA-1449-1, DSA-4348-1, DSA-4355-1, ibm10729805, ibm10743283, ibm10880781, JSA10919, openSUSE-SU-2018:2695-1, openSUSE-SU-2018:2957-1, openSUSE-SU-2018:3015-1, openSUSE-SU-2019:0152-1, openSUSE-SU-2019:1432-1, PAN-SA-2018-0015, RHSA-2018:3221-01, SSA:2018-226-01, SUSE-SU-2018:2486-1, SUSE-SU-2018:2492-1, SUSE-SU-2018:2683-1, SUSE-SU-2018:2928-1, SUSE-SU-2018:2965-1, SUSE-SU-2018:3864-1, SUSE-SU-2018:3864-2, SUSE-SU-2019:0197-1, SUSE-SU-2019:0512-1, SUSE-SU-2019:1553-1, TNS-2018-14, TNS-2018-17, TSB17568, USN-3628-1, USN-3628-2, USN-3692-1, USN-3692-2, VIGILANCE-VUL-25884.

Description of the vulnerability

An attacker can bypass access restrictions to data via RSA Constant Time Key Generation of OpenSSL, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability 25720

Synology Calendar: privilege escalation

Synthesis of the vulnerability

An attacker can bypass restrictions of Synology Calendar, in order to escalate his privileges.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: document.
Creation date: 29/03/2018.
Identifiers: Synology-SA-18:16, VIGILANCE-VUL-25720.

Description of the vulnerability

An attacker can bypass restrictions of Synology Calendar, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-8925 CVE-2018-8926

Synology Photo Station: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Synology Photo Station.
Impacted products: Synology DSM.
Severity: 3/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 29/03/2018.
Identifiers: CVE-2018-8925, CVE-2018-8926, Synology-SA-18:15, VIGILANCE-VUL-25719.

Description of the vulnerability

An attacker can use several vulnerabilities of Synology Photo Station.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2018-0739

OpenSSL: denial of service via Recursive ASN.1

Synthesis of the vulnerability

An attacker can generate a fatal error via Recursive ASN.1 of OpenSSL, in order to trigger a denial of service.
Impacted products: Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Debian, Avamar, BIG-IP Hardware, TMOS, Fedora, AIX, IBM i, Rational ClearCase, QRadar SIEM, Tivoli Storage Manager, WebSphere MQ, MariaDB ~ precise, McAfee Email Gateway, MySQL Community, MySQL Enterprise, OpenSSL, openSUSE Leap, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Solaris, Tuxedo, Oracle Virtual Directory, WebLogic, Palo Alto Firewall PA***, PAN-OS, Percona Server, RHEL, stunnel, SUSE Linux Enterprise Desktop, SLES, Symantec Content Analysis, ProxySG by Symantec, SGOS by Symantec, Synology DSM, Synology DS***, Synology RS***, Ubuntu, X2GoClient.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: internet client.
Creation date: 27/03/2018.
Identifiers: 2015887, 524146, bulletinjan2019, CERTFR-2018-AVI-155, cpuapr2019, cpujan2019, cpujul2018, cpujul2019, cpuoct2018, CVE-2018-0739, DLA-1330-1, DSA-2018-125, DSA-4157-1, DSA-4158-1, FEDORA-2018-1b4f1158e2, FEDORA-2018-40dc8b8b16, FEDORA-2018-76afaf1961, FEDORA-2018-9490b422e7, ibm10715641, ibm10717211, ibm10717405, ibm10717409, ibm10719319, ibm10733605, ibm10738249, ibm10874728, K08044291, N1022561, openSUSE-SU-2018:0936-1, openSUSE-SU-2018:1057-1, openSUSE-SU-2018:2208-1, openSUSE-SU-2018:2238-1, openSUSE-SU-2018:2524-1, openSUSE-SU-2018:2695-1, PAN-SA-2018-0015, RHSA-2018:3090-01, RHSA-2018:3221-01, SA166, SB10243, SSA-181018, SUSE-SU-2018:0902-1, SUSE-SU-2018:0905-1, SUSE-SU-2018:0906-1, SUSE-SU-2018:0975-1, SUSE-SU-2018:2072-1, SUSE-SU-2018:2158-1, SUSE-SU-2018:2683-1, Synology-SA-18:51, USN-3611-1, USN-3611-2, VIGILANCE-VUL-25666.

Description of the vulnerability

An attacker can generate a fatal error via Recursive ASN.1 of OpenSSL, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2018-8917 CVE-2018-8919 CVE-2018-8920

Synology DSM: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Synology DSM, in order to run JavaScript code in the context of the web site.
Impacted products: Synology DSM, Synology DS***, Synology RS***.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 27/03/2018.
Identifiers: CVE-2018-8917, CVE-2018-8919, CVE-2018-8920, Synology-SA-18:14, VIGILANCE-VUL-25664.

Description of the vulnerability

The Synology DSM product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Synology DSM, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2018-8924

Synology Office: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Synology Office, in order to run JavaScript code in the context of the web site.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 26/03/2018.
Identifiers: CVE-2018-8924, Synology-SA-18:12, VIGILANCE-VUL-25652.

Description of the vulnerability

The Synology Office product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Synology Office, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2018-8921 CVE-2018-8922

Synology Drive: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Synology Drive.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: client access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 21/03/2018.
Identifiers: CVE-2018-8921, CVE-2018-8922, Synology-SA-18:11, VIGILANCE-VUL-25614.

Description of the vulnerability

An attacker can use several vulnerabilities of Synology Drive.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2018-8928

Synology CardDAV Server: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Synology CardDAV Server, in order to run JavaScript code in the context of the web site.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 20/03/2018.
Identifiers: CVE-2018-8928, Synology-SA-18:10, VIGILANCE-VUL-25603.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of Synology CardDAV Server, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2018-8923

Synology File Station: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Synology File Station, in order to run JavaScript code in the context of the web site.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 20/03/2018.
Identifiers: CVE-2018-8923, Synology-SA-18:09, VIGILANCE-VUL-25602.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of Synology File Station, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about DSM: