Sign-up

ID

VAR-202010-0962


CVE

CVE-2020-27651


TITLE

Synology Router Manager  Vulnerability regarding lack of encryption of critical data in

Trust: 0.8

sources: JVNDB: JVNDB-2020-012917

DESCRIPTION

Synology Router Manager (SRM) before 1.2.4-8081 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session. Synology Router Manager (SRM) There is a vulnerability in the lack of encryption of critical data.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Synology Router Manager (SRM) is a software for configuring and managing Synology routers developed by Synology, Taiwan. Synology Router Manager (SRM) prior to version 1.2.4-8081 has a security vulnerability

Trust: 1.8

sources: NVD: CVE-2020-27651 // JVNDB: JVNDB-2020-012917 // VULHUB: VHN-371560 // VULMON: CVE-2020-27651

AFFECTED PRODUCTS

vendor:synologymodel:router managerscope:gteversion:1.2

Trust: 1.0

vendor:synologymodel:router managerscope:ltversion:1.2.4-8081

Trust: 1.0

vendor:synologymodel:router managerscope:eqversion:1.2.4-8081

Trust: 0.8

vendor:synologymodel:router managerscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-012917 // NVD: CVE-2020-27651

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-27651
value: HIGH

Trust: 1.0

security@synology.com: CVE-2020-27651
value: MEDIUM

Trust: 1.0

NVD: CVE-2020-27651
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202010-1640
value: MEDIUM

Trust: 0.6

VULHUB: VHN-371560
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-27651
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-371560
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-27651
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 5.9
version: 3.1

Trust: 1.0

security@synology.com: CVE-2020-27651
baseSeverity: MEDIUM
baseScore: 5.8
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 1.6
impactScore: 3.7
version: 3.1

Trust: 1.0

NVD: CVE-2020-27651
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-371560 // JVNDB: JVNDB-2020-012917 // CNNVD: CNNVD-202010-1640 // NVD: CVE-2020-27651 // NVD: CVE-2020-27651

PROBLEMTYPE DATA

problemtype:CWE-311

Trust: 1.1

problemtype:CWE-614

Trust: 1.0

problemtype:Lack of encryption of critical data (CWE-311) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-371560 // JVNDB: JVNDB-2020-012917 // NVD: CVE-2020-27651

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202010-1640

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202010-1640

PATCH

title:Synology-SA-20url:https://www.synology.com/security/advisory/Synology_SA_20_14

Trust: 0.8

title:Synology Router Manager Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=131797

Trust: 0.6

sources: JVNDB: JVNDB-2020-012917 // CNNVD: CNNVD-202010-1640

EXTERNAL IDS

db:NVDid:CVE-2020-27651

Trust: 2.6

db:TALOSid:TALOS-2020-1059

Trust: 1.8

db:JVNDBid:JVNDB-2020-012917

Trust: 0.8

db:CNNVDid:CNNVD-202010-1640

Trust: 0.7

db:CNVDid:CNVD-2020-60453

Trust: 0.1

db:VULHUBid:VHN-371560

Trust: 0.1

db:VULMONid:CVE-2020-27651

Trust: 0.1

sources: VULHUB: VHN-371560 // VULMON: CVE-2020-27651 // JVNDB: JVNDB-2020-012917 // CNNVD: CNNVD-202010-1640 // NVD: CVE-2020-27651

REFERENCES

url:https://www.synology.com/security/advisory/synology_sa_20_14

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-27651

Trust: 1.4

url:https://www.talosintelligence.com/vulnerability_reports/talos-2020-1059

Trust: 1.2

url:https://talosintelligence.com/vulnerability_reports/talos-2020-1059

Trust: 1.2

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-371560 // VULMON: CVE-2020-27651 // JVNDB: JVNDB-2020-012917 // CNNVD: CNNVD-202010-1640 // NVD: CVE-2020-27651

CREDITS

Discovered by Claudio Bozzato of Cisco Talos.

Trust: 0.6

sources: CNNVD: CNNVD-202010-1640

SOURCES

db:VULHUBid:VHN-371560
db:VULMONid:CVE-2020-27651
db:JVNDBid:JVNDB-2020-012917
db:CNNVDid:CNNVD-202010-1640
db:NVDid:CVE-2020-27651

LAST UPDATE DATE

2024-11-23T21:51:15.208000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-371560date:2020-11-06T00:00:00
db:VULMONid:CVE-2020-27651date:2020-11-06T00:00:00
db:JVNDBid:JVNDB-2020-012917date:2021-06-15T03:03:00
db:CNNVDid:CNNVD-202010-1640date:2020-10-30T00:00:00
db:NVDid:CVE-2020-27651date:2024-11-21T05:21:35.680

SOURCES RELEASE DATE

db:VULHUBid:VHN-371560date:2020-10-29T00:00:00
db:VULMONid:CVE-2020-27651date:2020-10-29T00:00:00
db:JVNDBid:JVNDB-2020-012917date:2021-06-15T00:00:00
db:CNNVDid:CNNVD-202010-1640date:2020-10-29T00:00:00
db:NVDid:CVE-2020-27651date:2020-10-29T09:15:12.903