Synology-SA-18:62 Netatalk
Publish Time: 2018-12-21 17:58:09 UTC+8
Last Updated: 2019-01-04 17:50:23 UTC+8
- Severity
- Critical
- Status
- Resolved
Abstract
A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Synology Diskstation Manager (DSM) and Synology Router Manager (SRM).
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| DSM 6.2 | Critical | Upgrade to 6.2.1-23824-4 or above. |
| DSM 6.1 | Critical | Upgrade to 6.1.7-15284-3 or above. |
| DSM 5.2 | Critical | Upgrade to 5.2-5967-9 or above. |
| SkyNAS[1] | Critical | Please manually download and install version 6.1.7-15284-3. |
| VS960HD | Critical | Upgrade to 2.3.3-1646 or above. |
| SRM 1.2 | Important | Upgrade to 1.2-7742-5 or above. |
Mitigation
If you need immediate assistance, please contact Synology technical support via https://account.synology.com/support.
Detail
- CVE-2018-1160
- Severity: Critical
- CVSS3 Base Score: 9.8
- CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.
Reference
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2018-12-21 | Initial public release. |
| 2 | 2018-12-21 | Update for DSM 6.2 is now available in Affected Products. |
| 3 | 2018-12-26 | Update for VS960HD is now available in Affected Products. |
| 4 | 2018-12-28 | Update for SRM 1.2 is now available in Affected Products. |
| 5 | 2019-01-02 | Update for DSM 6.1 and DSM 5.2 are now available in Affected Products. |
| 6 | 2019-01-04 | Update for SkyNAS is now available in Affected Products. |