Sign-up

ID

VAR-202102-1277


CVE

CVE-2021-26561


TITLE

Synology DiskStation Manager  Buffer Error Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-004175

DESCRIPTION

Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header. Synology DiskStation Manager (DSM) Is vulnerable to a buffer error.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information

Trust: 2.25

sources: NVD: CVE-2021-26561 // JVNDB: JVNDB-2021-004175 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-385702

AFFECTED PRODUCTS

vendor:synologymodel:diskstation managerscope:ltversion:6.2.3-25426-3

Trust: 1.0

vendor:synologymodel:diskstation manager unified controllerscope:eqversion:3.0

Trust: 1.0

vendor:synologymodel:skynasscope:eqversion: -

Trust: 1.0

vendor:synologymodel:vs960hdscope:eqversion: -

Trust: 1.0

vendor:synologymodel:diskstation managerscope: - version: -

Trust: 0.8

vendor:synologymodel:diskstation manager unified controllerscope: - version: -

Trust: 0.8

vendor:synologymodel:skynasscope: - version: -

Trust: 0.8

vendor:synologymodel:vs960hdscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-004175 // NVD: CVE-2021-26561

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-26561
value: HIGH

Trust: 1.0

security@synology.com: CVE-2021-26561
value: CRITICAL

Trust: 1.0

NVD: CVE-2021-26561
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202102-1710
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

VULHUB: VHN-385702
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-26561
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-385702
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-26561
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 5.9
version: 3.1

Trust: 1.0

security@synology.com: CVE-2021-26561
baseSeverity: CRITICAL
baseScore: 9.0
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 6.0
version: 3.1

Trust: 1.0

NVD: CVE-2021-26561
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-385702 // JVNDB: JVNDB-2021-004175 // CNNVD: CNNVD-202102-1710 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-26561 // NVD: CVE-2021-26561

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.1

problemtype:CWE-121

Trust: 1.0

problemtype:Buffer error (CWE-119) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-385702 // JVNDB: JVNDB-2021-004175 // NVD: CVE-2021-26561

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202102-1710

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202102-1710

PATCH

title:Synology-SA-20url:https://www.synology.com/security/advisory/Synology_SA_20_26

Trust: 0.8

title:Synology DiskStation Manager Buffer error vulnerability fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=143565

Trust: 0.6

sources: JVNDB: JVNDB-2021-004175 // CNNVD: CNNVD-202102-1710

EXTERNAL IDS

db:NVDid:CVE-2021-26561

Trust: 2.5

db:TALOSid:TALOS-2020-1159

Trust: 1.7

db:JVNDBid:JVNDB-2021-004175

Trust: 0.8

db:CS-HELPid:SB2021042002

Trust: 0.6

db:CNNVDid:CNNVD-202102-1710

Trust: 0.6

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:VULHUBid:VHN-385702

Trust: 0.1

sources: VULHUB: VHN-385702 // JVNDB: JVNDB-2021-004175 // CNNVD: CNNVD-202102-1710 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-26561

REFERENCES

url:https://www.synology.com/security/advisory/synology_sa_20_26

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-26561

Trust: 1.4

url:https://talosintelligence.com/vulnerability_reports/talos-2020-1159

Trust: 1.2

url:https://www.talosintelligence.com/vulnerability_reports/talos-2020-1159

Trust: 1.1

url:https://www.cybersecurity-help.cz/vdb/sb2021042002

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

sources: VULHUB: VHN-385702 // JVNDB: JVNDB-2021-004175 // CNNVD: CNNVD-202102-1710 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-26561

CREDITS

Discovered by Claudio Bozzato and Lilith >_> of Cisco Talos.

Trust: 0.6

sources: CNNVD: CNNVD-202102-1710

SOURCES

db:VULHUBid:VHN-385702
db:JVNDBid:JVNDB-2021-004175
db:CNNVDid:CNNVD-202102-1710
db:CNNVDid:CNNVD-202104-975
db:NVDid:CVE-2021-26561

LAST UPDATE DATE

2024-11-23T20:01:16.689000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-385702date:2022-04-26T00:00:00
db:JVNDBid:JVNDB-2021-004175date:2021-11-16T06:39:00
db:CNNVDid:CNNVD-202102-1710date:2022-04-27T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:NVDid:CVE-2021-26561date:2024-11-21T05:56:29.137

SOURCES RELEASE DATE

db:VULHUBid:VHN-385702date:2021-02-26T00:00:00
db:JVNDBid:JVNDB-2021-004175date:2021-11-16T00:00:00
db:CNNVDid:CNNVD-202102-1710date:2021-02-26T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:NVDid:CVE-2021-26561date:2021-02-26T22:15:19.877