Synology-SA-22:25 SRM

Publish Time: 2022-12-22 13:44:47 UTC+8

Last Updated: 2023-05-16 16:15:13 UTC+8

Severity
Critical
Status
Resolved

Abstract

Multiple vulnerabilities allow remote attackers to execute arbitrary command, conduct denial-of-service attacks or read arbitrary files via a susceptible version of Synology Router Manager (SRM).

Affected Products

Product Severity Fixed Release Availability
SRM 1.3 Critical Upgrade to 1.3.1-9346-3 or above.
SRM 1.2 Critical Upgrade to 1.2.5-8227-6 or above.

Mitigation

None

Detail

  • CVE-2023-32956

    • Severity: Critical
    • CVSS3 Base Score: 9.8
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in CGI component in Synology Router Manager (SRM) before 1.2.5-8227-6 and 1.3.1-9346-3 allows remote attackers to execute arbitrary code via unspecified vectors.

  • CVE-2022-43932

    • Severity: Important
    • CVSS3 Base Score: 7.5
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    • Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in CGI component in Synology Router Manager (SRM) before 1.2.5-8227-6 and 1.3.1-9346-3 allows remote attackers to read arbitrary files via unspecified vectors.

  • CVE-2023-32955

    • Severity: Important
    • CVSS3 Base Score: 8.1
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in DHCP Client Functionality in Synology Router Manager (SRM) before 1.2.5-8227-6 and 1.3.1-9346-3 allows man-in-the-middle attackers to execute arbitrary commands via unspecified vectors.

  • CVE-2023-0077

    • Severity: Moderate
    • CVSS3 Base Score: 6.5
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
    • Integer overflow or wraparound vulnerability in CGI component in Synology Router Manager (SRM) before 1.2.5-8227-6 and 1.3.1-9346-3 allows remote attackers to overflow buffers via unspecified vectors.

Acknowledgement

  • Orange Tsai from Devcore

  • Lukas Kupczyk from CrowdStrike

  • Gaurav Baruah (@gauravb) working with Trend Micro’s Zero Day Initiative

  • Rico Tubbing and Jurian van Dalfsen (Computest) working with Trend Micro’s Zero Day Initiative

Revision

Revision Date Description
1 2022-12-22 Initial public release.
2 2023-01-06 Disclosed vulnerability details.
3 2023-05-16 Disclosed vulnerability details.