Details of VAR-201401-0159

ID

VAR-201401-0159

CVE

CVE-2013-6955

TITLE

Synology DiskStation Manager arbitrary file modification

Trust: 0.8

sources: CERT/CC: VU#615910

DESCRIPTION

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header. Synology Provided by DiskStation Manager Is HTTP There is a problem with request processing, and there is a vulnerability with poor access control. Attacks using this vulnerability have been observed. Also, the attack code using this vulnerability has been released.By a remote third party, root It may be additionally written to a file on the system with permission. As a result, arbitrary code may be executed. Synology DiskStation Manager is prone to a remote command-execution vulnerability. An attacker can exploit this issue to execute arbitrary commands with root privileges. Synology DiskStation Manager 4.x are vulnerable; other versions may also be affected. Synology DiskStation Manager (DSM) is an operating system developed by Synology for network storage servers (NAS). The operating system can manage data, documents, photos, music and other information. A security vulnerability exists in the webman/imageSelector.cgi file in Synology DSM 4.3-3776-3 and earlier versions. http://www.synology.com/en-global/company/news/article/437 February 14, 2014\x97Synology\xae confirmed known security issues (reported as CVE-2013-6955 and CVE-2013-6987) which would cause compromise to file access authority in DSM. An updated DSM version resolving these issues has been released accordingly. The followings are possible symptoms to appear on affected DiskStation and RackStation: Exceptionally high CPU usage detected in Resource Monitor: CPU resource occupied by processes such as dhcp.pid, minerd, synodns, PWNED, PWNEDb, PWNEDg, PWNEDm, or any processes with PWNED in their names Appearance of non-Synology folder: An automatically created shared folder with the name \x93startup\x94, or a non-Synology folder appearing under the path of \x93/root/PWNED\x94 Redirection of the Web Station: \x93Index.php\x94 is redirected to an unexpected page Appearance of non-Synology CGI program: Files with meaningless names exist under the path of \x93/usr/syno/synoman\x94 Appearance of non-Synology script file: Non-Synology script files, such as \x93S99p.sh\x94, appear under the path of \x93/usr/syno/etc/rc.d\x94 If users identify any of above situation, they are strongly encouraged to do the following: For DiskStation or RackStation running on DSM 4.3, please follow the instruction here (http://www.synology.com/en-global/support/faq/348) to REINSTALL DSM 4.3-3827. For DiskStation or RackStation running on DSM 4.0, it\x92s recommended to REINSTALL DSM 4.0-2259 or onward from Synology Download Center. For DiskStation or RackStation running on DSM 4.1 or DSM 4.2, it\x92s recommended to REINSTALL DSM 4.2-3243 or onward from Synology Download Center (http://www.synology.com/en-global/support/download). Confidentiality Impact Complete (There is total information disclosure, resulting in all system files being revealed.) Integrity Impact Complete (There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised.) Availability Impact Complete (There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable.) Access Complexity Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. ) Authentication Not required (Authentication is not required to exploit the vulnerability.) Gained Access None Vulnerability Type(s) Execute Code This is also known as the /PWNED or /lolz hack

Trust: 2.79

sources: NVD: CVE-2013-6955 // CERT/CC: VU#615910 // JVNDB: JVNDB-2014-001004 // BID: 64516 // VULHUB: VHN-66957 // PACKETSTORM: 125864

AFFECTED PRODUCTS

vendor:	synology	model:	diskstation manager	scope:	eq	version:	4.0	Trust: 1.6
vendor:	synology	model:	diskstation manager	scope:	eq	version:	4.2	Trust: 1.6
vendor:	synology	model:	diskstation manager	scope:	eq	version:	4.3	Trust: 1.6
vendor:	synology	model:	diskstation manager	scope:	eq	version:	4.3-3810	Trust: 1.6
vendor:	synology	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	synology	model:	diskstation manager	scope:	lte	version:	version 4.3-3776-3	Trust: 0.8

sources: CERT/CC: VU#615910 // JVNDB: JVNDB-2014-001004 // CNNVD: CNNVD-201401-017 // NVD: CVE-2013-6955

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2013-6955
value:	HIGH
Trust: 1.6
nvd@nist.gov:	CVE-2013-6955
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-201401-017
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-66957
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2013-6955
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
NVD:	CVE-2013-6955
severity:	HIGH
baseScore:	10.0
vectorString:	NONE
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-66957
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#615910 // VULHUB: VHN-66957 // JVNDB: JVNDB-2014-001004 // CNNVD: CNNVD-201401-017 // NVD: CVE-2013-6955

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-66957 // JVNDB: JVNDB-2014-001004 // NVD: CVE-2013-6955

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 125864 // CNNVD: CNNVD-201401-017

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201401-017

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001004

EXPLOIT AVAILABILITY

sources: CERT/CC: VU#615910 // VULHUB: VHN-66957

PATCH

title:	DiskStation Manager	url:	http://www.synology.com/ja-jp/dsm/index	Trust: 0.8
title:	ダウンロードセンター	url:	http://www.synology.com/ja-jp/support/download	Trust: 0.8

sources: JVNDB: JVNDB-2014-001004

EXTERNAL IDS

db:	CERT/CC	id:	VU#615910	Trust: 3.3
db:	NVD	id:	CVE-2013-6955	Trust: 2.9
db:	BID	id:	64516	Trust: 1.0
db:	JVN	id:	JVNVU95919136	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-001004	Trust: 0.8
db:	CNNVD	id:	CNNVD-201401-017	Trust: 0.7
db:	PACKETSTORM	id:	125864	Trust: 0.2
db:	SEEBUG	id:	SSVID-83853	Trust: 0.1
db:	EXPLOIT-DB	id:	30470	Trust: 0.1
db:	PACKETSTORM	id:	124568	Trust: 0.1
db:	VULHUB	id:	VHN-66957	Trust: 0.1

sources: CERT/CC: VU#615910 // VULHUB: VHN-66957 // BID: 64516 // JVNDB: JVNDB-2014-001004 // PACKETSTORM: 125864 // CNNVD: CNNVD-201401-017 // NVD: CVE-2013-6955

REFERENCES

url:	http://www.kb.cert.org/vuls/id/615910	Trust: 2.5
url:	http://www.synology.com/en-us/dsm/index	Trust: 0.8
url:	http://www.synology.com/en-us/support/download	Trust: 0.8
url:	http://www.npa.go.jp/cyberpolice/detect/pdf/20140305.pdf	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6955	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu95919136	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6955	Trust: 0.8
url:	http://www.securityfocus.com/bid/64516	Trust: 0.6
url:	http://www.synology.com/en-global/company/news/article/437	Trust: 0.1
url:	http://www.synology.com/en-global/support/faq/348)	Trust: 0.1
url:	http://www.synology.com/en-global/support/download).	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-6987	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-6955	Trust: 0.1

sources: CERT/CC: VU#615910 // VULHUB: VHN-66957 // JVNDB: JVNDB-2014-001004 // PACKETSTORM: 125864 // CNNVD: CNNVD-201401-017 // NVD: CVE-2013-6955

CREDITS

Markus Wulftange

Trust: 0.9

sources: BID: 64516 // CNNVD: CNNVD-201401-017

SOURCES

db:	CERT/CC	id:	VU#615910
db:	VULHUB	id:	VHN-66957
db:	BID	id:	64516
db:	JVNDB	id:	JVNDB-2014-001004
db:	PACKETSTORM	id:	125864
db:	CNNVD	id:	CNNVD-201401-017
db:	NVD	id:	CVE-2013-6955

LAST UPDATE DATE

2024-11-23T21:55:28.990000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#615910	date:	2014-01-07T00:00:00
db:	VULHUB	id:	VHN-66957	date:	2014-01-10T00:00:00
db:	BID	id:	64516	date:	2014-01-09T00:40:00
db:	JVNDB	id:	JVNDB-2014-001004	date:	2014-03-07T00:00:00
db:	CNNVD	id:	CNNVD-201401-017	date:	2014-01-10T00:00:00
db:	NVD	id:	CVE-2013-6955	date:	2024-11-21T02:00:02.963

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#615910	date:	2014-01-07T00:00:00
db:	VULHUB	id:	VHN-66957	date:	2014-01-09T00:00:00
db:	BID	id:	64516	date:	2013-12-25T00:00:00
db:	JVNDB	id:	JVNDB-2014-001004	date:	2014-01-09T00:00:00
db:	PACKETSTORM	id:	125864	date:	2014-03-25T23:12:57
db:	CNNVD	id:	CNNVD-201401-017	date:	2013-12-25T00:00:00
db:	NVD	id:	CVE-2013-6955	date:	2014-01-09T18:07:04.033