Publish Time: 2018-03-14 16:54:07 UTC+8
Last Updated: 2018-03-27 16:03:27 UTC+8
Abstract
CVE-2018-1057 allows remote authenticated users to change other users' passwords via a susceptible version of Synology DiskStation Manager (DSM) with Active Directory Server installed.
Synology rates the overall severity as Important according to CVSS v3.0 metrics. However, the vulnerable functionality is disabled by default and there is no user interface to activate this option. Synology decides to postpone the fix until the upcoming update within the next 90 days.
Affected Products
Product | Severity | Fixed Release Availability |
---|---|---|
Active Directory Server | Important | Upgrade DSM 6.1 to 6.1.6-15266. |
Mitigation
If you need immediate assistance, please contact security@synology.com.
Detail
Reference
Revision
Revision | Date | Description |
---|---|---|
1 | 2018-03-14 | Initial public release. |
2 | 2018-03-27 | Update for Active Directory Server is now available in Affected Products. |