Synology-SA-23:15 Synology Camera (PWN2OWN 2023)

Publish Time: 2023-11-20 17:47:11 UTC+8

Last Updated: 2024-06-28 15:25:31 UTC+8

Severity
Critical
Status
Resolved

Abstract

The vulnerabilities allow remote attackers to execute arbitrary code and remote users to bypass security constraints via a susceptible version of Synology Camera BC500 Firmware and Synology Camera TC500 Firmware.

The vulnerabilities reported by PWN2OWN 2023 have been addressed.

Affected Products

Product Severity Fixed Release Availability
BC500 Critical Upgrade to 1.0.7-0298 or above.
TC500 Critical Upgrade to 1.0.7-0298 or above.

Mitigation

None

Detail

  • CVE-2024-39349

    • Severity: Critical
    • CVSS3 Base Score: 9.8
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • A vulnerability regarding buffer copy without checking size of input ('Classic Buffer Overflow') is found in the libjansson component and it does not affect the upstream library. This allows remote attackers to execute arbitrary code via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.
  • CVE-2023-47802

    • Severity: Important
    • CVSS3 Base Score: 7.2
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    • A vulnerability regarding improper neutralization of special elements used in an OS command ('OS Command Injection') is found in the IP block functionality. This allows remote authenticated users with administrator privileges to execute arbitrary commands via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.
  • CVE-2024-39350

    • Severity: Important
    • CVSS3 Base Score: 7.5
    • CVSS3 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    • A vulnerability regarding authentication bypass by spoofing is found in the RTSP functionality. This allows man-in-the-middle attackers to obtain privileges without consent via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.
  • CVE-2024-39351

    • Severity: Important
    • CVSS3 Base Score: 7.2
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    • A vulnerability regarding improper neutralization of special elements used in an OS command ('OS Command Injection') is found in the NTP configuration. This allows remote authenticated users with administrator privileges to execute arbitrary commands via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.
  • CVE-2023-47803

    • Severity: Moderate
    • CVSS3 Base Score: 5.3
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    • A vulnerability regarding improper limitation of a pathname to a restricted directory ('Path Traversal') is found in the Language Settings functionality. This allows remote attackers to read specific files containing non-sensitive information via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.
  • CVE-2024-39352

    • Severity: Moderate
    • CVSS3 Base Score: 4.9
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
    • A vulnerability regarding incorrect authorization is found in the firmware upgrade functionality. This allows remote authenticated users with administrator privileges to bypass firmware integrity check via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.

Acknowledgement

  • Freddy Ma, Jimmy Chang, Jimmy Liu (DrmnSamoLiu), Kyo Chen, Nancy Chang, Sébastien Dusuel (DuSu) working with Trend Micro Zero Day Initiative

  • Jaehoon Jang, Wonbeen Im, STEALIEN(https://stealien.com)

  • Romain JOUET (@JouetR), Baptiste MOINE (@Creased_) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative

Reference

Revision

Revision Date Description
1 2023-11-20 Initial public release.
2 2024-06-28 Disclosed vulnerability details.

Synology Solution Day Rejoignez-nous pour découvrir les dernières nouveautés en matière de gestion des données. En savoir plus