ID
VAR-202103-1061
CVE
CVE-2021-27646
TITLE
Synology DiskStation Manager Vulnerabilities in the use of freed memory
Trust: 0.8
DESCRIPTION
Use After Free vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests. Synology DiskStation Manager (DSM) Is vulnerable to the use of freed memory.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Authentication is not required to exploit this vulnerability.The specific flaw exists within the iscsi_snapshot_comm_core service. The issue results from the lack of proper locking when performing operations on an object, which can cause a pointer to be reused after it has been freed. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute code in the context of the current process. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information
Trust: 2.43
AFFECTED PRODUCTS
| vendor: | synology | model: | diskstation manager | scope: | lt | version: | 6.2.3-25426-3 | Trust: 1.0 |
| vendor: | synology | model: | diskstation manager | scope: | eq | version: | - | Trust: 0.8 |
| vendor: | synology | model: | diskstation manager | scope: | eq | version: | 6.2.3-25426-3 | Trust: 0.8 |
| vendor: | synology | model: | diskstation manager | scope: | - | version: | - | Trust: 0.7 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-416 | Trust: 1.1 |
| problemtype: | Use of freed memory (CWE-416) [NVD Evaluation ] | Trust: 0.8 |
THREAT TYPE
remote
Trust: 0.6
TYPE
resource management error
Trust: 0.6
PATCH
| title: | Synology-SA-20 | url: | https://www.synology.com/ja-jp/security/advisory/Synology_SA_20_26 | Trust: 0.8 |
| title: | Synology has issued an update to correct this vulnerability. | url: | https://www.synology.com/zh-hk/security/advisory/Synology_SA_20_26 | Trust: 0.7 |
| title: | Synology DiskStation Manager Remediation of resource management error vulnerabilities | url: | http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=144322 | Trust: 0.6 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2021-27646 | Trust: 3.3 |
| db: | ZDI | id: | ZDI-21-340 | Trust: 2.5 |
| db: | ZDI | id: | ZDI-21-339 | Trust: 1.8 |
| db: | JVNDB | id: | JVNDB-2021-004442 | Trust: 0.8 |
| db: | ZDI_CAN | id: | ZDI-CAN-13476 | Trust: 0.7 |
| db: | CNNVD | id: | CNNVD-202103-902 | Trust: 0.7 |
| db: | VULHUB | id: | VHN-386939 | Trust: 0.1 |
| db: | VULMON | id: | CVE-2021-27646 | Trust: 0.1 |
REFERENCES
| url: | https://www.zerodayinitiative.com/advisories/zdi-21-339/ | Trust: 1.9 |
| url: | https://www.synology.com/security/advisory/synology_sa_20_26 | Trust: 1.8 |
| url: | https://www.zerodayinitiative.com/advisories/zdi-21-340/ | Trust: 1.8 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2021-27646 | Trust: 1.4 |
| url: | https://www.synology.com/zh-hk/security/advisory/synology_sa_20_26 | Trust: 0.7 |
| url: | https://cwe.mitre.org/data/definitions/416.html | Trust: 0.1 |
| url: | https://nvd.nist.gov | Trust: 0.1 |
CREDITS
Anonymous
Trust: 0.7
SOURCES
| db: | ZDI | id: | ZDI-21-340 |
| db: | VULHUB | id: | VHN-386939 |
| db: | VULMON | id: | CVE-2021-27646 |
| db: | JVNDB | id: | JVNDB-2021-004442 |
| db: | CNNVD | id: | CNNVD-202103-902 |
| db: | NVD | id: | CVE-2021-27646 |
LAST UPDATE DATE
2024-11-23T21:34:50.483000+00:00
SOURCES UPDATE DATE
| db: | ZDI | id: | ZDI-21-340 | date: | 2021-05-24T00:00:00 |
| db: | VULHUB | id: | VHN-386939 | date: | 2021-03-26T00:00:00 |
| db: | VULMON | id: | CVE-2021-27646 | date: | 2021-03-26T00:00:00 |
| db: | JVNDB | id: | JVNDB-2021-004442 | date: | 2021-11-22T08:22:00 |
| db: | CNNVD | id: | CNNVD-202103-902 | date: | 2021-03-23T00:00:00 |
| db: | NVD | id: | CVE-2021-27646 | date: | 2024-11-21T05:58:22.263 |
SOURCES RELEASE DATE
| db: | ZDI | id: | ZDI-21-340 | date: | 2021-03-22T00:00:00 |
| db: | VULHUB | id: | VHN-386939 | date: | 2021-03-12T00:00:00 |
| db: | VULMON | id: | CVE-2021-27646 | date: | 2021-03-12T00:00:00 |
| db: | JVNDB | id: | JVNDB-2021-004442 | date: | 2021-11-22T00:00:00 |
| db: | CNNVD | id: | CNNVD-202103-902 | date: | 2021-03-12T00:00:00 |
| db: | NVD | id: | CVE-2021-27646 | date: | 2021-03-12T07:15:13.717 |