Synology-SA-18:30 SSL VPN Client

Publish Time: 2018-06-01 15:08:53 UTC+8

Last Updated: 2019-03-31 23:56:49 UTC+8

Severity
Important
Status
Resolved

Abstract

A vulnerability allows remote attackers to conduct man-in-the-middle attacks via a susceptible version of SSL VPN Client.

Affected Products

Product Severity Fixed Release Availability
SSL VPN Client Important Upgrade to 1.2.5-0226 or above.

Mitigation

None

Detail

  • CVE-2018-13283
    • Severity: Important
    • CVSS3 Base Score: 8.8
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    • Lack of administrator control over security vulnerability in client.cgi in Synology SSL VPN Client before 1.2.5-0226 allows remote attackers to conduct man-in-the-middle attacks via the (1) command, (2) hostname, or (3) port parameter.

Acknowledgement

丁諭祺(Yu-Chi Ding) from DEVCORE CHROOT

Revision

Revision Date Description
1 2018-06-01 Initial public release.
2 2019-03-31 Disclosed vulnerability details.