Details of VAR-202010-0967

ID

VAR-202010-0967

CVE

CVE-2020-27656

TITLE

Synology DiskStation Manager Information disclosure vulnerability

Trust: 1.2

sources: CNNVD: CNNVD-202010-1661 // CNNVD: CNNVD-202010-1641

DESCRIPTION

Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information. Synology Router Manager (SRM) versions prior to 1.2.4-8081 have a security vulnerability

Trust: 1.8

sources: NVD: CVE-2020-27656 // JVNDB: JVNDB-2020-012781 // VULHUB: VHN-371565 // VULMON: CVE-2020-27656

AFFECTED PRODUCTS

vendor:	synology	model:	diskstation manager	scope:	gte	version:	6.2	Trust: 1.0
vendor:	synology	model:	diskstation manager	scope:	lt	version:	6.2.3-25426-2	Trust: 1.0
vendor:	synology	model:	diskstation manager	scope:	eq	version:	-	Trust: 0.8
vendor:	synology	model:	diskstation manager	scope:	eq	version:	6.2.3-25426-2	Trust: 0.8

sources: JVNDB: JVNDB-2020-012781 // NVD: CVE-2020-27656

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-27656
value:	LOW
Trust: 1.0
security@synology.com:	CVE-2020-27656
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-27656
value:	LOW
Trust: 0.8
CNNVD:	CNNVD-202010-1661
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202010-1641
value:	LOW
Trust: 0.6
VULHUB:	VHN-371565
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-27656
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-371565
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-27656
baseSeverity:	LOW
baseScore:	3.7
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	1.4
version:	3.1
Trust: 1.0
security@synology.com:	CVE-2020-27656
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.2
impactScore:	3.7
version:	3.1
Trust: 1.0
NVD:	CVE-2020-27656
baseSeverity:	LOW
baseScore:	3.7
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-371565 // JVNDB: JVNDB-2020-012781 // CNNVD: CNNVD-202010-1661 // CNNVD: CNNVD-202010-1641 // NVD: CVE-2020-27656 // NVD: CVE-2020-27656

PROBLEMTYPE DATA

problemtype:	CWE-319	Trust: 1.1
problemtype:	Sending important information in clear text (CWE-319) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-371565 // JVNDB: JVNDB-2020-012781 // NVD: CVE-2020-27656

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-202010-1661 // CNNVD: CNNVD-202010-1641

TYPE

information disclosure

Trust: 1.2

sources: CNNVD: CNNVD-202010-1661 // CNNVD: CNNVD-202010-1641

PATCH

title:	Synology-SA-20	url:	https://www.synology.com/security/advisory/Synology_SA_20_18	Trust: 0.8
title:	Synology DiskStation Manager Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=131816	Trust: 0.6
title:	Synology DiskStation Manager Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=132135	Trust: 0.6

sources: JVNDB: JVNDB-2020-012781 // CNNVD: CNNVD-202010-1661 // CNNVD: CNNVD-202010-1641

EXTERNAL IDS

db:	NVD	id:	CVE-2020-27656	Trust: 3.2
db:	TALOS	id:	TALOS-2020-1071	Trust: 2.4
db:	JVNDB	id:	JVNDB-2020-012781	Trust: 0.8
db:	CNNVD	id:	CNNVD-202010-1661	Trust: 0.7
db:	CNNVD	id:	CNNVD-202010-1641	Trust: 0.7
db:	CNVD	id:	CNVD-2020-60458	Trust: 0.1
db:	VULHUB	id:	VHN-371565	Trust: 0.1
db:	VULMON	id:	CVE-2020-27656	Trust: 0.1

sources: VULHUB: VHN-371565 // VULMON: CVE-2020-27656 // JVNDB: JVNDB-2020-012781 // CNNVD: CNNVD-202010-1661 // CNNVD: CNNVD-202010-1641 // NVD: CVE-2020-27656

REFERENCES

url:	https://www.synology.com/security/advisory/synology_sa_20_18	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-27656	Trust: 1.4
url:	https://www.talosintelligence.com/vulnerability_reports/talos-2020-1071	Trust: 1.2
url:	https://talosintelligence.com/vulnerability_reports/talos-2020-1071	Trust: 1.2
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-371565 // VULMON: CVE-2020-27656 // JVNDB: JVNDB-2020-012781 // CNNVD: CNNVD-202010-1661 // CNNVD: CNNVD-202010-1641 // NVD: CVE-2020-27656

CREDITS

Discovered by Claudio Bozzato of Cisco Talos.

Trust: 0.6

sources: CNNVD: CNNVD-202010-1661

SOURCES

db:	VULHUB	id:	VHN-371565
db:	VULMON	id:	CVE-2020-27656
db:	JVNDB	id:	JVNDB-2020-012781
db:	CNNVD	id:	CNNVD-202010-1661
db:	CNNVD	id:	CNNVD-202010-1641
db:	NVD	id:	CVE-2020-27656

LAST UPDATE DATE

2024-11-23T22:37:13.673000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-371565	date:	2020-11-03T00:00:00
db:	VULMON	id:	CVE-2020-27656	date:	2020-11-03T00:00:00
db:	JVNDB	id:	JVNDB-2020-012781	date:	2021-06-03T08:31:00
db:	CNNVD	id:	CNNVD-202010-1661	date:	2020-10-30T00:00:00
db:	CNNVD	id:	CNNVD-202010-1641	date:	2020-11-04T00:00:00
db:	NVD	id:	CVE-2020-27656	date:	2024-11-21T05:21:36.363

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-371565	date:	2020-10-29T00:00:00
db:	VULMON	id:	CVE-2020-27656	date:	2020-10-29T00:00:00
db:	JVNDB	id:	JVNDB-2020-012781	date:	2021-06-03T00:00:00
db:	CNNVD	id:	CNNVD-202010-1661	date:	2020-10-29T00:00:00
db:	CNNVD	id:	CNNVD-202010-1641	date:	2020-10-29T00:00:00
db:	NVD	id:	CVE-2020-27656	date:	2020-10-29T09:15:13.497