Synology-SA-23:15 Synology Camera (PWN2OWN 2023)
Publish Time: 2023-11-20 17:47:11 UTC+8
Last Updated: 2024-06-28 15:25:31 UTC+8
- Severity
- Critical
- Status
- Resolved
Abstract
The vulnerabilities allow remote attackers to execute arbitrary code and remote users to bypass security constraints via a susceptible version of Synology Camera BC500 Firmware and Synology Camera TC500 Firmware.
The vulnerabilities reported by PWN2OWN 2023 have been addressed.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| BC500 | Critical | Upgrade to 1.0.7-0298 or above. |
| TC500 | Critical | Upgrade to 1.0.7-0298 or above. |
Mitigation
None
Detail
CVE-2024-39349
- Severity: Critical
- CVSS3 Base Score: 9.8
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- A vulnerability regarding buffer copy without checking size of input ('Classic Buffer Overflow') is found in the libjansson component and it does not affect the upstream library. This allows remote attackers to execute arbitrary code via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.
CVE-2023-47802
- Severity: Important
- CVSS3 Base Score: 7.2
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- A vulnerability regarding improper neutralization of special elements used in an OS command ('OS Command Injection') is found in the IP block functionality. This allows remote authenticated users with administrator privileges to execute arbitrary commands via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.
CVE-2024-39350
- Severity: Important
- CVSS3 Base Score: 7.5
- CVSS3 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- A vulnerability regarding authentication bypass by spoofing is found in the RTSP functionality. This allows man-in-the-middle attackers to obtain privileges without consent via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.
CVE-2024-39351
- Severity: Important
- CVSS3 Base Score: 7.2
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- A vulnerability regarding improper neutralization of special elements used in an OS command ('OS Command Injection') is found in the NTP configuration. This allows remote authenticated users with administrator privileges to execute arbitrary commands via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.
CVE-2023-47803
- Severity: Moderate
- CVSS3 Base Score: 5.3
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- A vulnerability regarding improper limitation of a pathname to a restricted directory ('Path Traversal') is found in the Language Settings functionality. This allows remote attackers to read specific files containing non-sensitive information via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.
CVE-2024-39352
- Severity: Moderate
- CVSS3 Base Score: 4.9
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
- A vulnerability regarding incorrect authorization is found in the firmware upgrade functionality. This allows remote authenticated users with administrator privileges to bypass firmware integrity check via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.
Acknowledgement
Freddy Ma, Jimmy Chang, Jimmy Liu (DrmnSamoLiu), Kyo Chen, Nancy Chang, Sébastien Dusuel (DuSu) working with Trend Micro Zero Day Initiative
Jaehoon Jang, Wonbeen Im, STEALIEN(https://stealien.com)
Romain JOUET (@JouetR), Baptiste MOINE (@Creased_) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative
Reference
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2023-11-20 | Initial public release. |
| 2 | 2024-06-28 | Disclosed vulnerability details. |