Synology-SA-19:32 SWAPGS Spectre Side-Channel Attack

Publish Time: 2019-08-08 18:21:05 UTC+8

Last Updated: 2021-05-20 11:30:28 UTC+8

Severity: Moderate

Status: Resolved

Abstract

The vulnerability allows local users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM) running on an Intel CPU or even if in Virtual Machine Manager.

Affected Products

Product	Severity	Fixed Release Availability
DSM 6.2^[1]^[2]	Moderate	Upgrade to 6.2.2-24922-5 or above. [2]

^[1] DS216+, DS216+II, DS716+, DS716+II, DS416play, DS916+, DS415+, RS815+, RS815RP+, DS1515+, DS1815+, DS1517+, DS1817+, DS2415+, RS2416+, RS2416RP+, RS818+, RS818RP+, RS1219+, RS3413xs+, RS10613xs+, RS3614xs+, RC18015xs+, RS18016xs+, RS3617xs, FS3017 will not be fixed.

^[2] DS418play, DS218+, DS718+, DS918+, DS1019+, DS620slim, DS1618+, RS2418+, RS2418RP+, RS2818RP+, DS2419+, DS1819+, DVA3219, RS3614xs, RS3614RPxs, RS3617RPxs, RS3617xs+, DS3617xs, DS3018xs, RS4017xs+, RS18017xs+, RS3618xs, FS1018, FS2017, RS1619xs+, SA3400, FS3400 please upgrade to 6.2.2-24922-5 or above.

Mitigation

None

Detail

CVE-2019-1125
- Severity: Moderate
- CVSS3 Base Score: 5.3
- CVSS3 Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
- An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1071, CVE-2019-1073.

Reference

Revision

Revision	Date	Description
1	2019-08-08	Initial public release.
2	2019-12-17	Disclosed vulnerability details.