Synology-SA-24:21 Synology Drive Server (PWN2OWN 2024)

Publish Time: 2024-11-05 15:15:34 UTC+8

Last Updated: 2024-11-21 19:04:27 UTC+8

Severity
Important
Status
Resolved

Abstract

Multiple vulnerabilities allow remote attackers to hijack web sessions and inject SQL commands via a susceptible version of Synology Drive Server.

The vulnerability reported by PWN2OWN 2024 (ZDI-CAN-25613) has been addressed.

Update of Synology Drive Server for DSM 7.2.1 and Synology Drive Server for DSM 7.1 will be published within 30 days.

Affected Products

Product Severity Fixed Release Availability
Synology Drive Server for DSM 7.2.2 Important Upgrade to 3.5.1-26102 or above.
Synology Drive Server for DSM 7.2.1 Important Upgrade to 3.5.0-26085 or above.
Synology Drive Server for DSM 7.1 Important Upgrade to 3.2.1-23280 or above.
Synology Drive Server for DSM 6.2 Important Upgrade to 3.0.4-12699 or above.

Mitigation

None

Detail

Reserved

Revision

Revision Date Description
1 2024-11-05 Initial public release.
2 2024-11-12 Update for Synology Drive Server for DSM 7.2.1 is now available in Affected Products.
3 2024-11-12 Update for Synology Drive Server for DSM 7.1 is now available in Affected Products.
4 2024-11-21 Added Synology Drive Server for DSM 6.2 to Affected Products.
5 2024-11-21 Update for Synology Drive Server for DSM 6.2 is now available in Affected Products.