Details of VAR-202103-1170

ID

VAR-202103-1170

CVE

CVE-2021-26569

TITLE

Synology DiskStation Manager Race Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-004463

DESCRIPTION

Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests. Synology DiskStation Manager (DSM) Is vulnerable to a race condition.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Authentication is not required to exploit this vulnerability.The specific flaw exists within the iscsi_snapshot_comm_core service. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute code in the context of the current process. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information

Trust: 2.43

sources: NVD: CVE-2021-26569 // JVNDB: JVNDB-2021-004463 // ZDI: ZDI-21-338 // VULHUB: VHN-385710 // VULMON: CVE-2021-26569

AFFECTED PRODUCTS

vendor:	synology	model:	diskstation manager	scope:	lt	version:	6.2.3-25426-3	Trust: 1.0
vendor:	synology	model:	diskstation manager	scope:	eq	version:	-	Trust: 0.8
vendor:	synology	model:	diskstation manager	scope:	eq	version:	6.2.3-25426-3	Trust: 0.8
vendor:	synology	model:	diskstation manager	scope:	-	version:	-	Trust: 0.7

sources: ZDI: ZDI-21-338 // JVNDB: JVNDB-2021-004463 // NVD: CVE-2021-26569

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-26569
value:	HIGH
Trust: 1.0
security@synology.com:	CVE-2021-26569
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-26569
value:	HIGH
Trust: 0.8
ZDI:	CVE-2021-26569
value:	MEDIUM
Trust: 0.7
CNNVD:	CNNVD-202103-919
value:	HIGH
Trust: 0.6
VULHUB:	VHN-385710
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-26569
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-26569
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-385710
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-26569
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	5.9
version:	3.1
Trust: 1.0
security@synology.com:	CVE-2021-26569
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-26569
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2021-26569
baseSeverity:	MEDIUM
baseScore:	6.3
vectorString:	AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.8
impactScore:	3.4
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-21-338 // VULHUB: VHN-385710 // VULMON: CVE-2021-26569 // JVNDB: JVNDB-2021-004463 // CNNVD: CNNVD-202103-919 // NVD: CVE-2021-26569 // NVD: CVE-2021-26569

PROBLEMTYPE DATA

problemtype:	CWE-362	Trust: 1.1
problemtype:	CWE-366	Trust: 1.0
problemtype:	Race condition (CWE-362) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-385710 // JVNDB: JVNDB-2021-004463 // NVD: CVE-2021-26569

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202103-919

TYPE

competition condition problem

Trust: 0.6

sources: CNNVD: CNNVD-202103-919

PATCH

title:	Synology-SA-20	url:	https://www.synology.com/security/advisory/Synology_SA_20_26	Trust: 0.8
title:	Synology has issued an update to correct this vulnerability.	url:	https://www.synology.com/zh-hk/security/advisory/Synology_SA_20_26	Trust: 0.7
title:	Synology DiskStation Manager Repair measures for the competition condition problem loophole	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=144569	Trust: 0.6

sources: ZDI: ZDI-21-338 // JVNDB: JVNDB-2021-004463 // CNNVD: CNNVD-202103-919

EXTERNAL IDS

db:	NVD	id:	CVE-2021-26569	Trust: 3.3
db:	ZDI	id:	ZDI-21-338	Trust: 2.5
db:	JVNDB	id:	JVNDB-2021-004463	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-12305	Trust: 0.7
db:	CNNVD	id:	CNNVD-202103-919	Trust: 0.7
db:	VULHUB	id:	VHN-385710	Trust: 0.1
db:	VULMON	id:	CVE-2021-26569	Trust: 0.1

sources: ZDI: ZDI-21-338 // VULHUB: VHN-385710 // VULMON: CVE-2021-26569 // JVNDB: JVNDB-2021-004463 // CNNVD: CNNVD-202103-919 // NVD: CVE-2021-26569

REFERENCES

url:	https://www.zerodayinitiative.com/advisories/zdi-21-338/	Trust: 1.9
url:	https://www.synology.com/security/advisory/synology_sa_20_26	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-26569	Trust: 1.4
url:	https://www.synology.com/zh-hk/security/advisory/synology_sa_20_26	Trust: 0.7
url:	https://cwe.mitre.org/data/definitions/362.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: ZDI: ZDI-21-338 // VULHUB: VHN-385710 // VULMON: CVE-2021-26569 // JVNDB: JVNDB-2021-004463 // CNNVD: CNNVD-202103-919 // NVD: CVE-2021-26569

CREDITS

Anonymous

Trust: 0.7

sources: ZDI: ZDI-21-338

SOURCES

db:	ZDI	id:	ZDI-21-338
db:	VULHUB	id:	VHN-385710
db:	VULMON	id:	CVE-2021-26569
db:	JVNDB	id:	JVNDB-2021-004463
db:	CNNVD	id:	CNNVD-202103-919
db:	NVD	id:	CVE-2021-26569

LAST UPDATE DATE

2024-11-23T23:07:38.087000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-21-338	date:	2021-05-24T00:00:00
db:	VULHUB	id:	VHN-385710	date:	2022-08-02T00:00:00
db:	VULMON	id:	CVE-2021-26569	date:	2021-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2021-004463	date:	2021-11-22T08:59:00
db:	CNNVD	id:	CNNVD-202103-919	date:	2022-08-10T00:00:00
db:	NVD	id:	CVE-2021-26569	date:	2024-11-21T05:56:30.150

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-21-338	date:	2021-03-18T00:00:00
db:	VULHUB	id:	VHN-385710	date:	2021-03-12T00:00:00
db:	VULMON	id:	CVE-2021-26569	date:	2021-03-12T00:00:00
db:	JVNDB	id:	JVNDB-2021-004463	date:	2021-11-22T00:00:00
db:	CNNVD	id:	CNNVD-202103-919	date:	2021-03-12T00:00:00
db:	NVD	id:	CVE-2021-26569	date:	2021-03-12T07:15:12.437