The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Synology DSM

vulnerability 16990

Synology Photo Station: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Synology Photo Station.
Impacted products: Synology DSM, Synology DS***, Synology RS***.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 26/05/2015.
Identifiers: VIGILANCE-VUL-16990.

Description of the vulnerability

Several vulnerabilities were announced in Synology Photo Station.

An attacker can trigger a Cross Site Scripting in login.php via $_GET['success'], in order to execute JavaScript code in the context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Scripting in index.php via $urlPrefix.$data['img'] and $urlPrefix.$url, in order to execute JavaScript code in the context of the web site. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2015-4655

Synology DiskStation Manager: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Synology DiskStation Manager, in order to execute JavaScript code in the context of the web site.
Impacted products: Synology DSM, Synology DS***, Synology RS***.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 26/05/2015.
Identifiers: CVE-2015-4655, SFY20150503, VIGILANCE-VUL-16987.

Description of the vulnerability

The Synology DiskStation Manager product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Synology DiskStation Manager, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 16986

Synology Photo Station: command execution via description

Synthesis of the vulnerability

An attacker can use a description containing shell escape characters on Synology Photo Station, in order to execute commands on the system.
Impacted products: Synology DSM, Synology DS***, Synology RS***.
Severity: 3/4.
Consequences: user access/rights.
Provenance: intranet client.
Creation date: 26/05/2015.
Identifiers: SFY20150502, VIGILANCE-VUL-16986.

Description of the vulnerability

The Synology Photo Station product can be installed on DSM.

The photo/webapi/photo.php script calls the UpdateDescriptionMetadata() function, which runs the SYNO_EXIFTOOL_FILE (/usr/syno/bin/synophoto_dsm_user) command. However, the shell command line is built without escaping the "description" field.

An attacker can therefore use a description containing shell escape characters on Synology Photo Station, in order to execute commands on the system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-4025 CVE-2015-4026

PHP: file access via the null character

Synthesis of the vulnerability

When a PHP application does not filter null characters in its parameters, and then uses these parameters to access to a file, the name of the file which is really accessed is truncated.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, openSUSE, openSUSE Leap, Solaris, PHP, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 18/05/2015.
Identifiers: bulletinjul2017, CERTFR-2015-AVI-234, CVE-2015-4025, CVE-2015-4026, CVE-2017-4025-ERROR, DSA-3280-1, FEDORA-2015-8370, FEDORA-2015-8383, openSUSE-SU-2015:0993-1, openSUSE-SU-2017:3329-1, RHSA-2015:1135-01, RHSA-2015:1186-01, RHSA-2015:1187-01, RHSA-2015:1218-01, RHSA-2015:1219-01, SOL16993, SSA:2015-162-02, SUSE-SU-2015:1253-1, SUSE-SU-2015:1253-2, SUSE-SU-2016:1638-1, USN-2658-1, VIGILANCE-VUL-16918.

Description of the vulnerability

The PHP language offers several file processing functions: set_include_path(), tempnam(), rmdir() and readlink().

The C language uses the null '\0' character as the end of a string, but the PHP language allows a string to contain a null: "str\0ing".

File processing functions (implemented in C) truncate the file name after the null character. However, the optional PHP code checking the file name validity does not truncate the file name. This inconsistency can for example allow the access to a file, even if its extension is invalid.

When a PHP application does not filter null characters in its parameters, and then uses these parameters to access to a file, the name of the file which is really accessed is therefore truncated.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-4024

PHP: denial of service via multipart/form-data

Synthesis of the vulnerability

An attacker can send specially formed multipart/form-data data to PHP, in order to trigger a denial of service.
Impacted products: CheckPoint Security Gateway, Debian, BIG-IP Hardware, TMOS, Fedora, openSUSE, Solaris, PHP, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: document.
Creation date: 18/05/2015.
Identifiers: 69364, bulletinjul2015, bulletinjul2017, CERTFR-2015-AVI-234, CVE-2015-4024, DSA-3280-1, FEDORA-2015-8370, FEDORA-2015-8383, openSUSE-SU-2015:0993-1, RHSA-2015:1135-01, RHSA-2015:1186-01, RHSA-2015:1187-01, RHSA-2015:1218-01, RHSA-2015:1219-01, sk106834, SOL16826, SSA:2015-162-02, SUSE-SU-2015:1253-1, SUSE-SU-2015:1253-2, SUSE-SU-2016:1638-1, USN-2658-1, VIGILANCE-VUL-16916.

Description of the vulnerability

The PHP product supports data in the MIME multipart format of type "form-data".

However, if the file name is on several lines, the multipart_buffer_headers() function consumes numerous resources to rebuilt it.

An attacker can therefore send specially formed multipart/form-data data to PHP, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2015-4022

PHP: integer overflow of ftp_genlist

Synthesis of the vulnerability

An attacker can generate an integer overflow in ftp_genlist() of PHP, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Debian, Fedora, openSUSE, Solaris, PHP, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet server.
Creation date: 18/05/2015.
Identifiers: 69545, bulletinjul2017, CERTFR-2015-AVI-234, CVE-2015-4022, DSA-3280-1, FEDORA-2015-8370, FEDORA-2015-8383, openSUSE-SU-2015:0993-1, RHSA-2015:1135-01, RHSA-2015:1187-01, RHSA-2015:1218-01, RHSA-2015:1219-01, SSA:2015-162-02, SUSE-SU-2015:1253-1, SUSE-SU-2015:1253-2, SUSE-SU-2016:1638-1, USN-2658-1, VIGILANCE-VUL-16915.

Description of the vulnerability

The PHP product implements a FTP client.

However, if a directory listing is too large, a size overflows, and an allocated memory area is too short in ftp_genlist().

An attacker can therefore generate an integer overflow in ftp_genlist() of PHP, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2015-4021

PHP: memory corruption via phar_parse_tarfile

Synthesis of the vulnerability

An attacker can generate a memory corruption in phar_parse_tarfile() of PHP, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Debian, Fedora, openSUSE, Solaris, PHP, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Creation date: 18/05/2015.
Identifiers: 69453, bulletinjul2017, CERTFR-2015-AVI-234, CVE-2015-4021, DSA-3280-1, FEDORA-2015-8370, FEDORA-2015-8383, openSUSE-SU-2015:0993-1, RHSA-2015:1135-01, RHSA-2015:1186-01, RHSA-2015:1187-01, RHSA-2015:1218-01, RHSA-2015:1219-01, SSA:2015-162-02, SUSE-SU-2015:1253-1, SUSE-SU-2015:1253-2, SUSE-SU-2016:1638-1, USN-2658-1, VIGILANCE-VUL-16913.

Description of the vulnerability

The PHP product uses the Phar extension to manipulate PHP archives.

However, when a file name starts by the '\0' character, the phar_parse_tarfile() function writes a null byte before the storage array.

An attacker can therefore generate a memory corruption in phar_parse_tarfile() of PHP, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2015-0240

Samba: use after free via NetLogon

Synthesis of the vulnerability

An unauthenticated attacker can force the usage of a freed memory area in NetLogon of Samba, in order to trigger a denial of service, and possibly to execute code with root privileges.
Impacted products: Debian, Fedora, HP-UX, OES, openSUSE, Solaris, RHEL, Samba, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server, denial of service on service, denial of service on client.
Provenance: intranet client.
Creation date: 23/02/2015.
Revision date: 15/04/2015.
Identifiers: 7014420, bulletinjan2015, c04636672, CERTFR-2015-AVI-078, CVE-2015-0240, DSA-3171-1, FEDORA-2015-2519, FEDORA-2015-2538, HPSBUX03320, MDVSA-2015:081, MDVSA-2015:082, MDVSA-2015:083, openSUSE-SU-2015:0375-1, openSUSE-SU-2016:1064-1, openSUSE-SU-2016:1106-1, openSUSE-SU-2016:1107-1, openSUSE-SU-2016:1108-1, openSUSE-SU-2016:1440-1, RHSA-2015:0249-01, RHSA-2015:0250-01, RHSA-2015:0251-01, RHSA-2015:0252-01, RHSA-2015:0253-01, RHSA-2015:0254-01, RHSA-2015:0255-01, RHSA-2015:0256-01, RHSA-2015:0257-01, SSA:2015-064-01, SSRT101952, SUSE-SU-2015:0353-1, SUSE-SU-2015:0371-1, SUSE-SU-2015:0386-1, USN-2508-1, VIGILANCE-VUL-16242.

Description of the vulnerability

The Samba product implements the NetLogon service.

An unauthenticated attacker (NULL session over IPC) can use the RPC ServerPasswordSet() of NetLogon. However, the _netr_ServerPasswordSet() function frees a memory area before reusing it.

An unauthenticated attacker can therefore force the usage of a freed memory area in NetLogon of Samba, in order to trigger a denial of service, and possibly to execute code with root privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-2809

mDNS: information disclosure and DDos

Synthesis of the vulnerability

An attacker can query the mDNS service, in order to obtain sensitive information about the network, or to amplify a denial of service attack.
Impacted products: Avahi, DNS protocol, Synology DSM.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: internet client.
Creation date: 01/04/2015.
Identifiers: CVE-2015-2809, VIGILANCE-VUL-16510, VU#550620.

Description of the vulnerability

The mDNS (Multicast DNS) protocol allows local computers to discover services available on their networks.

However, some mDNS implementations accept to reply to Unicast queries coming from outside their network.

An attacker can therefore query the mDNS service, in order to obtain sensitive information about the network, or to amplify a denial of service attack.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-0235

glibc: buffer overflow of gethostbyname, GHOST

Synthesis of the vulnerability

An attacker can for example send an email using a long IPv4 address, to force the messaging server to resolve this address, and to generate a buffer overflow in gethostbyname() of the glibc, in order to trigger a denial of service, and possibly to execute code. Several programs using the gethostbyname() function are vulnerable with a similar attack vector.
Impacted products: Arkoon FAST360, GAiA, CheckPoint IP Appliance, Provider-1, SecurePlatform, CheckPoint Security Gateway, CheckPoint VSX-1, Cisco ASR, Cisco Catalyst, IOS XE Cisco, IOS XR Cisco, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco CUCM, XenServer, Clearswift Email Gateway, Debian, Unisphere EMC, VNX Operating Environment, VNX Series, Exim, BIG-IP Hardware, TMOS, HPE BSM, HP Operations, Performance Center, Junos Space, McAfee Email and Web Security, McAfee Email Gateway, McAfee MOVE AntiVirus, McAfee NSP, McAfee NTBA, McAfee NGFW, VirusScan, McAfee Web Gateway, openSUSE, Oracle Communications, Palo Alto Firewall PA***, PAN-OS, PHP, HDX, RealPresence Collaboration Server, RealPresence Distributed Media Application, RealPresence Resource Manager, Polycom VBP, RHEL, SIMATIC, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu, Unix (platform) ~ not comprehensive, WordPress Core.
Severity: 4/4.
Consequences: user access/rights, denial of service on client.
Provenance: internet server.
Creation date: 27/01/2015.
Revision date: 27/01/2015.
Identifiers: 198850, 199399, c04577814, c04589512, CERTFR-2015-AVI-043, cisco-sa-20150128-ghost, cpujul2015, cpujul2017, cpuoct2016, cpuoct2017, cpuoct2018, CTX200437, CVE-2015-0235, DSA-3142-1, ESA-2015-030, ESA-2015-041, GHOST, HPSBGN03270, HPSBGN03285, JSA10671, K16057, KM01391662, MDVSA-2015:039, openSUSE-SU-2015:0162-1, openSUSE-SU-2015:0184-1, PAN-SA-2015-0002, RHSA-2015:0090-01, RHSA-2015:0092-01, RHSA-2015:0099-01, RHSA-2015:0101-01, RHSA-2015:0126-01, SB10100, sk104443, SOL16057, SSA:2015-028-01, SSA-994726, SUSE-SU-2015:0158-1, USN-2485-1, VIGILANCE-VUL-16060, VU#967332.

Description of the vulnerability

The glibc library provides two functions to obtain the IP address of a server from its DNS name:
  struct hostent *gethostbyname(const char *name);
  struct hostent *gethostbyname2(const char *name, int af);

For example:
  he = gethostbyname("www.example.com");

These functions also accept to directly process an IP address:
  he = gethostbyname("192.168.1.1");

However, a malformed IPv4 address, which is too long such as 192.168.111111.1 (more than 1024 byte long) triggers an overflow in the __nss_hostname_digits_dots() function.

An attacker can therefore for example send an email using a long IPv4 address, to force the messaging server to resolve this address, and to generate a buffer overflow in gethostbyname() of the glibc, in order to trigger a denial of service, and possibly to execute code.

Several programs using the gethostbyname() function are vulnerable (exim, php, pppd, procmail) with a similar attack vector. The following programs are apparently not vulnerable: apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, squid, sysklogd, syslog-ng, tcp_wrappers, vsftpd, xinetd.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Synology DSM: