Synology Patches Serious Bugs in DiskStation Manager

CVE-2022-27624
Image: Synology

Network-attached storage (NAS) company Synology has released updates for its DiskStation Manager (DSM) products to patch critical vulnerabilities.

There is a total of four vulnerabilities in Synology DiskStation Manager, an intuitive web-based operating system for every Synology NAS, designed to help you manage your digital assets across all network locations.

CVE-2022-27624

Image: Synology

Three of the flaws tracked as CVE-2022-27624, CVE-2022-27625, and CVE-2022-27626, are arbitrary command bugs affecting the session processing functionality of Out-of-Band (OOB) Management. The vulnerability can be exploited to execute arbitrary commands and compromise DiskStation NAS models like DS3622xs+, FS3410, and HD6500. The vulnerability can be exploited remotely by an attacker.

An out-of-bounds read issue was also found in the OOB Management feature. Attackers can exploit this vulnerability to obtain sensitive information.

  • CVE-2022-27624 (CVSS score: 10): A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the packet decryption functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.
  • CVE-2022-27625 (CVSS score: 10): A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the message processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.
  • CVE-2022-27626 (CVSS score: 10): A vulnerability regarding concurrent execution using the shared resource with improper synchronization (‘Race Condition’) is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.
  • CVE-2022-3576 (CVSS score: 5.3): A vulnerability regarding out-of-bounds read is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to obtain sensitive information via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.

Version 7.1.1-42962-2 or above of Synology DiskStation Manager resolved these vulnerabilities. Synology’s security team has rated these issues as being of critical severity.