Cisco Talos recently discovered multiple vulnerabilities in Synology DiskStation Manager.

DSM is the Linux-based operating system for every Synology network-attached storage device (NAS). The vulnerabilities exist in various features inside the operating system, including AppArmor and QuickConnect. TALOS-2020-1173 and TALOS-2020-1160 (CVE-2021-26564, CVE-2021-26565 and CVE-2021-26566) are both information disclosure vulnerabilities in DSM. An attacker could exploit both vulnerabilities to steal sensitive login credentials, including those of an administrator.

An attacker could also exploit TALOS-2020-1159 (CVE-2021-26560, CVE-2021-26561 and CVE-2021-26562) with a man-in-the-middle technique to gain the ability to remotely execute code as the root user (however within a restricted AppArmor profile) on the targeted device.

We also discovered TALOS-2020-1158(CVE-2021-26563), which could allow an adversary to bypass AppArmor's restrictions. AppArmor is a Linux security module, used inside DSM to restrict applications' capabilities within their OS. This can be used together with TALOS-2020-1159 in order to remotely execute arbitrary code as the root user, without restrictions.

Cisco Talos worked with Synology to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Synology DSM, version 6.2.3 25426-2 DS120j. Talos tested and confirmed these versions of DSM could be exploited by this vulnerability.

The following SNORTⓇ rules will detect exploitation attempts against this vulnerability: 55917 and 56137. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.