Synology-SA-22:18 DSM

Publish Time: 2022-10-25 10:56:21 UTC+8

Last Updated: 2022-10-25 10:56:21 UTC+8

Severity: Moderate

Status: Resolved

Abstract

Multiple vulnerabilities allow remote attackers to read or write arbitrary files or remote authenticated users to access intranet resources via a susceptible version of Synology DiskStation Manager (DSM).

Affected Products

Product	Severity	Fixed Release Availability
DSM 7.1	Moderate	Upgrade to 7.1-42661 or above.
DSM 7.0	Moderate	Upgrade to 7.1-42661 or above.
DSM 6.2	Moderate	Upgrade to 7.1-42661 or above.
DSMUC 3.1	Not affected	N/A
VS Firmware 3.0	Not affected	N/A

Mitigation

None

Detail

CVE-2022-27622
- Severity: Moderate
- CVSS3 Base Score: 4.1
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
- Server-Side Request Forgery (SSRF) vulnerability in Package Center functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote authenticated users to access intranet resources via unspecified vectors.
CVE-2022-27623
- Severity: Moderate
- CVSS3 Base Score: 7.4
- CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
- Missing authentication for critical function vulnerability in iSCSI management functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote attackers to read or write arbitrary files via unspecified vectors.

Acknowledgement

Qian Chen (@cq674350529) from Codesafe Team of Legendsec at Qi'anxin Group

Revision

Revision	Date	Description
1	2022-10-25	Initial public release.