Synology-SA-17:22 Stack Clash

Abstract

The Stack Clash is a vulnerability in the memory management which allows local authenticated users to corrupt memory and obtain full root privileges.

The vulnerability has a low impact on x86-64 models.

Severity

Moderate

CVSSv3 Base Score: 7.7

Affected

• Products
  • DSM 6.1
  • DSM 6.0
  • DSM 5.2
  • SRM 1.1
• Models
  • All Synology models

Description

• CVE-2017-1000364
  An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010).

• CVE-2017-1000366
  glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier.

Mitigation

We are now working on a solution to this vulnerability. For an immediate workaround, please contact us at security@synology.com.

Update Availability

To fix the security issue, please update DSM 6.1 to 6.1.3-15152-3 or above, update DSM 6.0 to 6.0.3-8754-6 or above, update DSM 5.2 to 5.2-5967-5 or above, and SRM 1.1 to 1.1.5-6542 or above.

References

• https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
• https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366