The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Synology DSM

vulnerability CVE-2015-2809

mDNS: information disclosure and DDos

Synthesis of the vulnerability

An attacker can query the mDNS service, in order to obtain sensitive information about the network, or to amplify a denial of service attack.
Impacted products: Avahi, DNS protocol, Synology DSM.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: internet client.
Creation date: 01/04/2015.
Identifiers: CVE-2015-2809, VIGILANCE-VUL-16510, VU#550620.

Description of the vulnerability

The mDNS (Multicast DNS) protocol allows local computers to discover services available on their networks.

However, some mDNS implementations accept to reply to Unicast queries coming from outside their network.

An attacker can therefore query the mDNS service, in order to obtain sensitive information about the network, or to amplify a denial of service attack.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-0235

glibc: buffer overflow of gethostbyname, GHOST

Synthesis of the vulnerability

An attacker can for example send an email using a long IPv4 address, to force the messaging server to resolve this address, and to generate a buffer overflow in gethostbyname() of the glibc, in order to trigger a denial of service, and possibly to execute code. Several programs using the gethostbyname() function are vulnerable with a similar attack vector.
Impacted products: Arkoon FAST360, GAiA, CheckPoint IP Appliance, Provider-1, SecurePlatform, CheckPoint Security Gateway, CheckPoint VSX-1, Cisco ASR, Cisco Catalyst, IOS XE Cisco, IOS XR Cisco, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco CUCM, XenServer, Clearswift Email Gateway, Debian, Unisphere EMC, VNX Operating Environment, VNX Series, Exim, BIG-IP Hardware, TMOS, HPE BSM, HP Operations, Performance Center, Junos Space, McAfee Email and Web Security, McAfee Email Gateway, McAfee MOVE AntiVirus, McAfee NSP, McAfee NTBA, McAfee NGFW, VirusScan, McAfee Web Gateway, openSUSE, Oracle Communications, Palo Alto Firewall PA***, PAN-OS, PHP, HDX, RealPresence Collaboration Server, RealPresence Distributed Media Application, RealPresence Resource Manager, Polycom VBP, RHEL, SIMATIC, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu, Unix (platform) ~ not comprehensive, WordPress Core.
Severity: 4/4.
Consequences: user access/rights, denial of service on client.
Provenance: internet server.
Creation date: 27/01/2015.
Revision date: 27/01/2015.
Identifiers: 198850, 199399, c04577814, c04589512, CERTFR-2015-AVI-043, cisco-sa-20150128-ghost, cpujul2015, cpujul2017, cpuoct2016, cpuoct2017, cpuoct2018, CTX200437, CVE-2015-0235, DSA-3142-1, ESA-2015-030, ESA-2015-041, GHOST, HPSBGN03270, HPSBGN03285, JSA10671, K16057, KM01391662, MDVSA-2015:039, openSUSE-SU-2015:0162-1, openSUSE-SU-2015:0184-1, PAN-SA-2015-0002, RHSA-2015:0090-01, RHSA-2015:0092-01, RHSA-2015:0099-01, RHSA-2015:0101-01, RHSA-2015:0126-01, SB10100, sk104443, SOL16057, SSA:2015-028-01, SSA-994726, SUSE-SU-2015:0158-1, USN-2485-1, VIGILANCE-VUL-16060, VU#967332.

Description of the vulnerability

The glibc library provides two functions to obtain the IP address of a server from its DNS name:
  struct hostent *gethostbyname(const char *name);
  struct hostent *gethostbyname2(const char *name, int af);

For example:
  he = gethostbyname("www.example.com");

These functions also accept to directly process an IP address:
  he = gethostbyname("192.168.1.1");

However, a malformed IPv4 address, which is too long such as 192.168.111111.1 (more than 1024 byte long) triggers an overflow in the __nss_hostname_digits_dots() function.

An attacker can therefore for example send an email using a long IPv4 address, to force the messaging server to resolve this address, and to generate a buffer overflow in gethostbyname() of the glibc, in order to trigger a denial of service, and possibly to execute code.

Several programs using the gethostbyname() function are vulnerable (exim, php, pppd, procmail) with a similar attack vector. The following programs are apparently not vulnerable: apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, squid, sysklogd, syslog-ng, tcp_wrappers, vsftpd, xinetd.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2014-3710

PHP: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP.
Impacted products: Debian, Solaris, PHP, Slackware, Synology DSM.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 14/11/2014.
Identifiers: bulletinjul2015, CERTFR-2014-AVI-483, CVE-2014-3710, DSA-3074-1, DSA-3074-2, MDVSA-2015:080, SSA:2014-356-02, VIGILANCE-VUL-15648.

Description of the vulnerability

Several vulnerabilities were announced in PHP.

An attacker can create a malformed ELF file, to force a read at an invalid address in the donote() function of fileinfo, in order to trigger a denial of service (VIGILANCE-VUL-15626). [severity:1/4; CVE-2014-3710]

An attacker can generate a buffer overflow in php_getopt(), in order to trigger a denial of service, and possibly to execute code. [severity:2/4]

An attacker can generate a buffer overflow in zend_hash_copy, in order to trigger a denial of service, and possibly to execute code. [severity:2/4]

An attacker can generate a buffer overflow in libmagic/readcdf.c, in order to trigger a denial of service, and possibly to execute code. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2014-7824

D-Bus: denial of service

Synthesis of the vulnerability

An attacker can use D-Bus, in order to trigger a denial of service on related applications.
Impacted products: Debian, Fedora, openSUSE, Synology DSM, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: denial of service on service, denial of service on client.
Provenance: user shell.
Creation date: 12/11/2014.
Identifiers: 85105, CVE-2014-7824, DSA-3099-1, FEDORA-2014-16147, FEDORA-2014-16227, FEDORA-2014-16243, FEDORA-2014-17570, FEDORA-2014-17595, MDVSA-2014:214, MDVSA-2015:176, openSUSE-SU-2014:1454-1, openSUSE-SU-2014:1455-1, USN-2425-1, VIGILANCE-VUL-15629.

Description of the vulnerability

The D-Bus system is used by local applications, in order to exchange messages.

However, an attacker can use all file descriptors, in order to trigger a denial of service.

An attacker can therefore use D-Bus, in order to trigger a denial of service on related applications.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2014-3710

Fine Free file: unreachable memory reading via ELF donote

Synthesis of the vulnerability

An attacker can create a malformed ELF file, to force a read at an invalid address in the donote() function of file, in order to trigger a denial of service.
Impacted products: Debian, Fedora, FreeBSD, openSUSE, Solaris, RHEL, Synology DSM, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: denial of service on client.
Provenance: document.
Creation date: 12/11/2014.
Identifiers: bulletinjul2015, CVE-2014-3710, DSA-3072-1, FEDORA-2014-13571, FreeBSD-SA-14:28.file, MDVSA-2014:236, MDVSA-2015:080, openSUSE-SU-2014:1516-1, RHSA-2014:1765-01, RHSA-2014:1766-01, RHSA-2014:1767-01, RHSA-2014:1768-01, RHSA-2015:2155-07, RHSA-2016:0760-01, USN-2391-1, USN-2494-1, VIGILANCE-VUL-15626.

Description of the vulnerability

The file program is use to detect the type of a file.

However, the donote() function of the src/readelf.c file tries to read a memory area which is not reachable, which triggers a fatal error.

An attacker can therefore create a malformed ELF file, to force a read at an invalid address in the donote() function of file, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2014-3668 CVE-2014-3669 CVE-2014-3670

PHP: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP.
Impacted products: Debian, Fedora, openSUSE, Solaris, PHP, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 17/10/2014.
Identifiers: bulletinjul2015, CVE-2014-3668, CVE-2014-3669, CVE-2014-3670, DSA-3064-1, FEDORA-2014-13013, FEDORA-2014-13031, MDVSA-2014:202, MDVSA-2015:080, openSUSE-SU-2014:1377-1, openSUSE-SU-2014:1391-1, openSUSE-SU-2014:1733-1, openSUSE-SU-2015:0014-1, RHSA-2014:1765-01, RHSA-2014:1766-01, RHSA-2014:1767-01, RHSA-2014:1768-01, RHSA-2014:1824-01, RHSA-2015:0021-01, SSA:2014-307-03, SUSE-SU-2016:1638-1, USN-2391-1, VIGILANCE-VUL-15500.

Description of the vulnerability

Several vulnerabilities were announced in PHP.

An attacker can generate a buffer overflow in mkgmtime(), in order to trigger a denial of service, and possibly to execute code. [severity:2/4; CVE-2014-3668]

An attacker can generate a memory corruption in exif_thumbnail(), in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-3670]

An attacker can generate an integer overflow in unserialize(), in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-3669]

An attacker can inject a null byte in cURL. [severity:2/4]

An attacker can generate a character overflow in libmagic, in order to trigger a denial of service, and possibly to execute code. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2014-3566

SSL 3.0: decrypting session, POODLE

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can decrypt a SSL 3.0 session, in order to obtain sensitive information.
Impacted products: SES, SNS, Apache httpd, Arkoon FAST360, ArubaOS, Asterisk Open Source, BES, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, GAiA, CheckPoint IP Appliance, IPSO, SecurePlatform, CheckPoint Security Appliance, CheckPoint Security Gateway, Cisco ASR, Cisco ACE, ASA, AsyncOS, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, IronPort Email, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco PRSM, Cisco Router, WebNS, Clearswift Email Gateway, Clearswift Web Gateway, CUPS, Debian, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiGate, FortiGate Virtual Appliance, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, F-Secure AV, hMailServer, HPE BSM, HP Data Protector, HPE NNMi, HP Operations, ProCurve Switch, SiteScope, HP Switch, TippingPoint IPS, HP-UX, AIX, Domino, Notes, Security Directory Server, SPSS Data Collection, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, IVE OS, Juniper J-Series, Junos OS, Junos Space, Junos Space Network Management Platform, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, McAfee Email and Web Security, McAfee Email Gateway, ePO, VirusScan, McAfee Web Gateway, IE, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows (platform) ~ not comprehensive, Windows RT, Windows Vista, NETASQ, NetBSD, NetScreen Firewall, ScreenOS, nginx, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Oracle DB, Oracle Fusion Middleware, Oracle Identity Management, Oracle OIT, Solaris, Tuxedo, WebLogic, Palo Alto Firewall PA***, PAN-OS, Polycom CMA, HDX, RealPresence Collaboration Server, RealPresence Distributed Media Application, Polycom VBP, Postfix, SSL protocol, Puppet, RHEL, JBoss EAP by Red Hat, RSA Authentication Manager, ROS, ROX, RuggedSwitch, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu, Unix (platform) ~ not comprehensive, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, WinSCP.
Severity: 3/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Creation date: 15/10/2014.
Identifiers: 10923, 1589583, 1595265, 1653364, 1657963, 1663874, 1687167, 1687173, 1687433, 1687604, 1687611, 1690160, 1690185, 1690342, 1691140, 1692551, 1695392, 1696383, 1699051, 1700706, 2977292, 3009008, 7036319, aid-10142014, AST-2014-011, bulletinapr2015, bulletinjan2015, bulletinjan2016, bulletinjul2015, bulletinjul2016, bulletinoct2015, c04486577, c04487990, c04492722, c04497114, c04506802, c04510230, c04567918, c04616259, c04626982, c04676133, c04776510, CERTFR-2014-ALE-007, CERTFR-2014-AVI-454, CERTFR-2014-AVI-509, CERTFR-2015-AVI-169, CERTFR-2016-AVI-303, cisco-sa-20141015-poodle, cpujul2017, CTX216642, CVE-2014-3566, DSA-3053-1, DSA-3253-1, DSA-3489-1, ESA-2014-178, ESA-2015-098, ESXi500-201502001, ESXi500-201502101-SG, ESXi510-201503001, ESXi510-201503001-SG, ESXi510-201503101-SG, ESXi550-201501001, ESXi550-201501101-SG, FEDORA-2014-12989, FEDORA-2014-12991, FEDORA-2014-13012, FEDORA-2014-13017, FEDORA-2014-13040, FEDORA-2014-13069, FEDORA-2014-13070, FEDORA-2014-13444, FEDORA-2014-13451, FEDORA-2014-13764, FEDORA-2014-13777, FEDORA-2014-13781, FEDORA-2014-13794, FEDORA-2014-14234, FEDORA-2014-14237, FEDORA-2014-15379, FEDORA-2014-15390, FEDORA-2014-15411, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2015-9090, FEDORA-2015-9110, FreeBSD-SA-14:23.openssl, FSC-2014-8, HPSBGN03256, HPSBGN03305, HPSBGN03332, HPSBHF03156, HPSBHF03300, HPSBMU03152, HPSBMU03184, HPSBMU03213, HPSBMU03416, HPSBUX03162, HPSBUX03194, JSA10656, MDVSA-2014:203, MDVSA-2014:218, MDVSA-2015:062, NetBSD-SA2014-015, nettcp_advisory, openSUSE-SU-2014:1331-1, openSUSE-SU-2014:1384-1, openSUSE-SU-2014:1395-1, openSUSE-SU-2014:1426-1, openSUSE-SU-2016:0640-1, openSUSE-SU-2016:1586-1, openSUSE-SU-2017:0980-1, PAN-SA-2014-0005, POODLE, RHSA-2014:1652-01, RHSA-2014:1653-01, RHSA-2014:1692-01, RHSA-2014:1920-01, RHSA-2014:1948-01, RHSA-2015:0010-01, RHSA-2015:0011-01, RHSA-2015:0012-01, RHSA-2015:1545-01, RHSA-2015:1546-01, SA83, SB10090, SB10104, sk102989, SOL15702, SP-CAAANKE, SP-CAAANST, SPL-91947, SPL-91948, SSA:2014-288-01, SSA-396873, SSA-472334, SSRT101767, STORM-2014-02-FR, SUSE-SU-2014:1357-1, SUSE-SU-2014:1361-1, SUSE-SU-2014:1386-1, SUSE-SU-2014:1387-1, SUSE-SU-2014:1387-2, SUSE-SU-2014:1409-1, SUSE-SU-2015:0010-1, SUSE-SU-2016:1457-1, SUSE-SU-2016:1459-1, T1021439, TSB16540, USN-2839-1, VIGILANCE-VUL-15485, VMSA-2015-0001, VMSA-2015-0001.1, VMSA-2015-0001.2, VN-2014-003, VU#577193.

Description of the vulnerability

An SSL/TLS session can be established using several protocols:
 - SSL 2.0 (obsolete)
 - SSL 3.0
 - TLS 1.0
 - TLS 1.1
 - TLS 1.2

An attacker can downgrade the version to SSLv3. However, with SSL 3.0, an attacker can change the padding position with a CBC encryption, in order to progressively guess clear text fragments.

This vulnerability is named POODLE (Padding Oracle On Downgraded Legacy Encryption).

An attacker, located as a Man-in-the-Middle, can therefore decrypt a SSL 3.0 session, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2006-7243

PHP: file access via the null character

Synthesis of the vulnerability

When a PHP application does not filter null characters in its parameters, and then uses these parameters to access to a file, the name of the file which is really accessed is truncated.
Impacted products: BIG-IP Hardware, TMOS, HP-UX, PHP, RHEL, Slackware, Synology DSM, Synology DS***, Synology RS***.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 19/11/2010.
Identifiers: BID-44951, c03183543, CVE-2006-7243, HPSBUX02741, RHSA-2013:1307-01, RHSA-2013:1615-02, RHSA-2014:0311-01, SOL13519, SSA:2015-162-02, SSRT100728, VIGILANCE-VUL-10139.

Description of the vulnerability

The PHP language offers several file processing functions: include(), copy(), is_file(), file_get_contents(), file_put_contents(), file(), glob(), is_dir(), file_exists(), fileatime(), filectime(), filegroup(), fileinode(), filemtime(), fileowner(), fileperms(), filesize(), filetype(), fopen(), is_executable(), is_link(), is_readable(), is_writable(), lchgrp(), lchown(), link(), linkinfo(), lstat(), mkdir(), pathinfo(), popen(), readfile(), realpath(), rename(), rmdir(), stat(), symlink(), touch(), unlink(), tempnam().

The C language uses the null '\0' character as the end of a string, but the PHP language allows a string to contain a null: "str\0ing".

File processing functions (implemented in C) truncate the file name after the null character. However, the optional PHP code checking the file name validity does not truncate the file name. This inconsistency can for example allow the access to a file, even if its extension is invalid.

When a PHP application does not filter null characters in its parameters, and then uses these parameters to access to a file, the name of the file which is really accessed is therefore truncated.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Synology DSM: