Check Point IPS Research Team Discovers Synology DiskStation Manager Vulnerability
( CVE-2010-2453 )
Summary
A remote code injection vulnerability has been discovered by the Check Point IPS Research team in the Synology DiskStation NAS operating system. An attacker can exploit this flaw and execute arbitrary code on an affected system.
Details
Synology DiskStation is a disk management operating system used in the Synology Network Attached Storage (NAS) products.
The vulnerability is due to insufficient validation by DiskStation's web interface when handling a malformed login command. A remote attacker could exploit this vulnerability by sending a specially crafted login command to a vulnerable system, and subsequently allow the attacker to execute arbitrary commands on it.
Affected Products
This vulnerability exists in DiskStation versions prior to v3.0-1337.
Solution
Check Point IPS Software Blade, IPS-1, and NGX SmartDefense have provided immediate network protection since the August 30, 2010 IPS update by detecting and blocking specially crafted FTP login commands that attempt to exploit this vulnerability. For more information, see CPAI-2010-270 and SBP-2010-24.
Acknowledgements
Acknowledgements go to Rodrigo Rubira Branco, a member of the Check Point IPS Research Team, for discovering and reporting this vulnerability. Responsible disclosure guidelines were followed, and the vendor has made a patch available.
The Check Point IPS Research team conducts original research on network, protocol and application vulnerabilities. The team also actively monitors and where appropriate communicates with white, black and grayhat communities to identify vulnerabilities and potential exploits before they are introduced into the wild. This research is used to develop and disseminate defenses through relevant Update Services components.
Originally Published:
Last Updated: 13-Dec-2010