Synology-SA-18:24 DSM

Publish Time: 2018-05-23 14:07:44 UTC+8

Last Updated: 2018-06-08 15:36:43 UTC+8

Severity: Important

Status: Resolved

Abstract

Multiple vulnerabilities allow remote authenticated users to execute arbitrary commands or to set new password without verification via a susceptible version of Synology DiskStation Manager (DSM).

Affected Products

Product	Severity	Fixed Release Availability
DSM 6.1	Important	Upgrade to DSM 6.2-23739 or above.
DSM 6.0	Important	Upgrade to DSM 6.2-23739 or above.
DSM 5.2	Important	Upgrade to DSM 6.2-23739 or above.

Mitigation

None

Detail

CVE-2017-12075
- Severity: Important
- CVSS3 Base Score: 7.2
- CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Command injection vulnerability in EZ-Internet in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to execute arbitrary command via the username parameter.
CVE-2018-8916
- Severity: Moderate
- CVSS3 Base Score: 6.3
- CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification.

Revision

Revision	Date	Description
1	2018-05-23	Initial public release.
2	2018-06-08	Disclosed vulnerability details.