Synology-SA-25:01 DSM (PWN2OWN 2024)
Publish Time: UTC+8
Last Updated: UTC+8
- Severity
- Moderate
- Status
- Resolved
Abstract
A vulnerability allows man-in-the-middle attackers to hijack the authentication of administrators.
The vulnerability reported by PWN2OWN 2024 (ZDI-CAN-25487) has been addressed.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| DSM 7.2.2 | Moderate | Upgrade to 7.2.2-72806-3 or above. |
| DSM 7.2.1 | Moderate | Upgrade to 7.2.1-69057-7 or above. |
| DSM 7.1 | Moderate | Upgrade to 7.1.1-42962-8 or above. |
Mitigation
None
Detail
- CVE-2024-10444
- Severity: Important
- CVSS3 Base Score: 7.5
- CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Improper certificate validation vulnerability in the LDAP utilities in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows man-in-the-middle attackers to hijack the authentication of administrators via unspecified vectors.
Acknowledgement
Chris Anastasio (@mufinnnnnnn) & Fabius Watson (@FabiusArtrel)
Reference
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2025-02-04 | Initial public release. |
| 2 | 2025-03-19 | Disclosed vulnerability details. |