Details of VAR-201403-0323

ID

VAR-201403-0323

CVE

CVE-2014-2264

TITLE

Synology DiskStation Manager VPN module hard-coded password vulnerability

Trust: 0.8

sources: CERT/CC: VU#534284

DESCRIPTION

The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 update 1 has a hardcoded root password of synopass, which makes it easier for remote attackers to obtain access via a VPN session. Synology Provided by DiskStation Manager Has a problem with hard-coded credentials. Successful attacks can allow a remote attacker to gain unauthorized access to the vulnerable device. Synology DiskStation Manager (DSM) is an operating system developed by Synology for network storage servers (NAS). The operating system can manage data, documents, photos, music and other information

Trust: 2.7

sources: NVD: CVE-2014-2264 // CERT/CC: VU#534284 // JVNDB: JVNDB-2014-001516 // BID: 65879 // VULHUB: VHN-70203

AFFECTED PRODUCTS

vendor:	synology	model:	diskstation manager	scope:	eq	version:	4.3-3810	Trust: 1.6
vendor:	synology	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	synology	model:	diskstation manager	scope:	lt	version:	of vpn server 1.2-2317 earlier	Trust: 0.8

sources: CERT/CC: VU#534284 // JVNDB: JVNDB-2014-001516 // CNNVD: CNNVD-201403-026 // NVD: CVE-2014-2264

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-2264
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-2264
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201403-026
value:	HIGH
Trust: 0.6
VULHUB:	VHN-70203
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-2264
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-70203
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-70203 // JVNDB: JVNDB-2014-001516 // CNNVD: CNNVD-201403-026 // NVD: CVE-2014-2264

PROBLEMTYPE DATA

problemtype:	CWE-200	Trust: 1.9
problemtype:	CWE-255	Trust: 1.9

sources: VULHUB: VHN-70203 // JVNDB: JVNDB-2014-001516 // NVD: CVE-2014-2264

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201403-026

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201403-026

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001516

PATCH

title:	Release Notes for VPN Server	url:	http://www.synology.com/releaseNote/package/VPNCenter	Trust: 0.8
title:	DiskStation Manager	url:	http://www.synology.com/en-global/dsm/	Trust: 0.8

sources: JVNDB: JVNDB-2014-001516

EXTERNAL IDS

db:	CERT/CC	id:	VU#534284	Trust: 3.3
db:	NVD	id:	CVE-2014-2264	Trust: 2.8
db:	JVN	id:	JVNVU97152032	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-001516	Trust: 0.8
db:	CNNVD	id:	CNNVD-201403-026	Trust: 0.7
db:	BID	id:	65879	Trust: 0.4
db:	VULHUB	id:	VHN-70203	Trust: 0.1

sources: CERT/CC: VU#534284 // VULHUB: VHN-70203 // BID: 65879 // JVNDB: JVNDB-2014-001516 // CNNVD: CNNVD-201403-026 // NVD: CVE-2014-2264

REFERENCES

url:	http://www.kb.cert.org/vuls/id/534284	Trust: 2.5
url:	http://forum.synology.com/enu/viewtopic.php?f=173&t=77644	Trust: 2.4
url:	http://www.synology.com/en-global/releasenote/package/vpncenter	Trust: 1.6
url:	http://www.synology.com/en-us/dsm/index	Trust: 0.8
url:	http://www.synology.com/en-us/dsm/business_application_vpn_server	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2264	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu97152032/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2264	Trust: 0.8
url:	http://forum.synology.com/enu/viewtopic.php?f=173&t=77644	Trust: 0.1

sources: CERT/CC: VU#534284 // VULHUB: VHN-70203 // JVNDB: JVNDB-2014-001516 // CNNVD: CNNVD-201403-026 // NVD: CVE-2014-2264

CREDITS

tesla563

Trust: 0.3

sources: BID: 65879

SOURCES

db:	CERT/CC	id:	VU#534284
db:	VULHUB	id:	VHN-70203
db:	BID	id:	65879
db:	JVNDB	id:	JVNDB-2014-001516
db:	CNNVD	id:	CNNVD-201403-026
db:	NVD	id:	CVE-2014-2264

LAST UPDATE DATE

2024-11-23T22:56:35.066000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#534284	date:	2014-03-04T00:00:00
db:	VULHUB	id:	VHN-70203	date:	2014-03-03T00:00:00
db:	BID	id:	65879	date:	2014-03-07T00:42:00
db:	JVNDB	id:	JVNDB-2014-001516	date:	2014-03-06T00:00:00
db:	CNNVD	id:	CNNVD-201403-026	date:	2014-03-07T00:00:00
db:	NVD	id:	CVE-2014-2264	date:	2024-11-21T02:05:57.803

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#534284	date:	2014-02-27T00:00:00
db:	VULHUB	id:	VHN-70203	date:	2014-03-02T00:00:00
db:	BID	id:	65879	date:	2014-02-28T00:00:00
db:	JVNDB	id:	JVNDB-2014-001516	date:	2014-03-03T00:00:00
db:	CNNVD	id:	CNNVD-201403-026	date:	2014-03-04T00:00:00
db:	NVD	id:	CVE-2014-2264	date:	2014-03-02T17:55:03.097