Synology-SA-24:21 Synology Drive Server (PWN2OWN 2024)
Publish Time: UTC+8
Last Updated: UTC+8
- Severity
- Important
- Status
- Resolved
Abstract
The vulnerability reported in ZDI-CAN-25658 allows remote attackers to obtain administrator credentials.
The vulnerability reported in ZDI-CAN-25659 allows remote attackers to inject SQL commands limited to write operations.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| Synology Drive Server for DSM 7.2.2 | Important | Upgrade to 3.5.1-26102 or above. |
| Synology Drive Server for DSM 7.2.1 | Important | Upgrade to 3.5.0-26085 or above. |
| Synology Drive Server for DSM 7.1 | Important | Upgrade to 3.2.1-23280 or above. |
| Synology Drive Server for DSM 6.2 | Important | Upgrade to 3.0.4-12699 or above. |
Mitigation
None
Detail
CVE-2024-50630
- Severity: Important
- CVSS3 Base Score: 7.5
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Missing authentication for critical function vulnerability in the webapi component in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to obtain administrator credentials via unspecified vectors.
CVE-2024-50631
- Severity: Important
- CVSS3 Base Score: 7.5
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in the system syncing daemon in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to inject SQL commands, limited to write operations, via unspecified vectors.
Acknowledgement
Pumpkin Chang (@u1f383) and Orange Tsai (@orange_8361) from DEVCORE Research Team
Reference
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2024-11-05 | Initial public release. |
| 2 | 2024-11-12 | Update for Synology Drive Server for DSM 7.2.1 is now available in Affected Products. |
| 3 | 2024-11-12 | Update for Synology Drive Server for DSM 7.1 is now available in Affected Products. |
| 4 | 2024-11-21 | Added Synology Drive Server for DSM 6.2 to Affected Products. |
| 5 | 2024-11-21 | Update for Synology Drive Server for DSM 6.2 is now available in Affected Products. |
| 6 | 2025-03-19 | Disclosed vulnerability details. |