Synology-SA-17:51 Cloud Station Drive

Publish Time: 2017-08-30 18:50:14 UTC+8

Last Updated: 2017-08-30 18:50:14 UTC+8

Severity: Moderate

Status: Resolved

Abstract

CVE-2017-11158 allows local users to execute arbitrary codes during the installation of Cloud Station Drive on Windows via a vulnerable version.

Severity

Impact: Moderate
CVSS3 Base Score: 7.3
CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Affected

Products
- Cloud Station Drive before 4.2.5-4396

Description

Multiple untrusted search path vulnerabilities in installer in Synology Cloud Station Drive before 4.2.5-4396 on Windows allows local attackers to execute arbitrary code and conduct DLL hijacking attack via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory.

Mitigation

None

Update Availability

To fix the security issue, please update Cloud Station Drive to 4.2.5-4396 or above.