Synology-SA-19:32 SWAPGS Spectre Side-Channel Attack
Publish Time: 2019-08-08 18:21:05 UTC+8
Last Updated: 2021-05-20 11:30:28 UTC+8
- Severity
- Moderate
- Status
- Resolved
Abstract
The vulnerability allows local users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM) running on an Intel CPU or even if in Virtual Machine Manager.
Affected Products
Product | Severity | Fixed Release Availability |
---|---|---|
DSM 6.2[1][2] | Moderate | Upgrade to 6.2.2-24922-5 or above. [2] |
[1] DS216+, DS216+II, DS716+, DS716+II, DS416play, DS916+, DS415+, RS815+, RS815RP+, DS1515+, DS1815+, DS1517+, DS1817+, DS2415+, RS2416+, RS2416RP+, RS818+, RS818RP+, RS1219+, RS3413xs+, RS10613xs+, RS3614xs+, RC18015xs+, RS18016xs+, RS3617xs, FS3017 will not be fixed.
[2] DS418play, DS218+, DS718+, DS918+, DS1019+, DS620slim, DS1618+, RS2418+, RS2418RP+, RS2818RP+, DS2419+, DS1819+, DVA3219, RS3614xs, RS3614RPxs, RS3617RPxs, RS3617xs+, DS3617xs, DS3018xs, RS4017xs+, RS18017xs+, RS3618xs, FS1018, FS2017, RS1619xs+, SA3400, FS3400 please upgrade to 6.2.2-24922-5 or above.
Mitigation
None
Detail
- CVE-2019-1125
- Severity: Moderate
- CVSS3 Base Score: 5.3
- CVSS3 Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
- An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1071, CVE-2019-1073.
Reference
Revision
Revision | Date | Description |
---|---|---|
1 | 2019-08-08 | Initial public release. |
2 | 2019-12-17 | Disclosed vulnerability details. |