Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Blog by Claudio Bozzato and Jon Munshaw. Cisco Talos recently discovered multiple remote vulnerabilities in software that helps power Synology routers. The bugs exist in Synology Router Manager (SRM) — a Linux-based operating system for Synology routers — and QuickConnect, a feature inside SRM that allows users to remotely connect to their routers. An adversary could use these vulnerabilities to carry out a range of malicious actions, including executing remote code on the device, the exposure of sensitive information regarding the victim’s network and communication with other devices connected to the same network. In accordance with our coordinated disclosure policy, Cisco Talos worked with Synology to ensure that these issues are resolved and that an update is available for affected customers. One of the vulnerabilities also affects the Qualcomm LBD service, and Qualcomm has also released an update for that. While this post focuses on SRM which we did the research on, Synology has informed us that DSM was affected too for: TALOS-2020-1058 / CVE-2020-27648
TALOS-2020-1059 / CVE-2020-27650
TALOS-2020-1061 / CVE-2020-27652
TALOS-2020-1071 / CVE-2020-27656 Paths to root around the world We discovered multiple vulnerabilities that allow us to achieve unconstrained root privileges in the router. Additionally, we found that it was possible to remotely communicate with any router that was using the QuickConnect feature, and escalate our privileges to root. As a small aside, in order to understand how the following vulnerabilities interconnect, it’s important to discuss QuickConnect. Normally if you wanted to manage your router remotely, you could make the web GUI port accessible from the WAN interface, and optionally also use a DDNS service ..
Support the originator by clicking the read the rest link below.
){kind=link}