Synology-SA-21:02 Sudo
Publish Time: 2021-02-22 10:44:30 UTC+8
Last Updated: 2021-09-01 15:40:37 UTC+8
- Severity
- Low
- Status
- Accepted
Abstract
A vulnerability allows local users to conduct privilege escalation attacks via a susceptible version of Synology DiskStation Manager (DSM).
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| DSM 6.2 | Low | Upgrade to 6.2.4-25554 or above. |
| DSM UC | Low | Upgrade to 3.1-23033 or above. |
| SkyNAS | Low | Pending |
| VS960HD | Low | Ongoing |
| SRM 1.2 | Not affected | N/A |
Mitigation
None
Detail
- CVE-2021-3156
- Severity: Low
- CVSS3 Base Score: 6.7
- CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
- Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
Reference
- Sudo Heap-Based Buffer Overflow Vulnerability — CVE-2021-3156
- VU#794544
- Buffer overflow in command line unescaping
- CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
- CVE-2021-3156
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2021-02-22 | Initial public release. |
| 2 | 2021-02-23 | Update for DSM 6.2 is now available in Affected Products. |
| 3 | 2021-06-02 | Updated severity for DSM 6.2, DSM UC, SkyNAS and VS960HD in Affected Products. |
| 4 | 2021-06-01 | Update for DSM UC is now available in Affected Products. |