CVE-2021-26564 in DiskStation Manager
Summary
by MITRE • 02/27/2021
Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/04/2025
The vulnerability identified as CVE-2021-26564 represents a critical cleartext transmission flaw within the synorelayd service component of Synology DiskStation Manager operating systems. This issue affects DSM versions prior to 6.2.3-25426-3 and exposes the system to man-in-the-middle attack vectors through unencrypted HTTP session communication. The synorelayd daemon serves as a relay service for various network functions within the Synology ecosystem, making this vulnerability particularly concerning for enterprise and home network environments where sensitive data exchanges occur regularly.
The technical implementation of this vulnerability stems from the service's reliance on unencrypted HTTP protocols for session management and data transmission without proper encryption mechanisms or secure communication channels. When users establish connections through synorelayd, their session information flows in plaintext over the network, creating opportunities for attackers positioned within the network infrastructure to intercept and manipulate these communications. This flaw specifically impacts the authentication and authorization processes that occur during HTTP session establishment, allowing malicious actors to potentially impersonate legitimate servers and gain unauthorized access to network resources.
From an operational impact perspective, this vulnerability creates significant risks for organizations relying on Synology NAS devices for critical data storage and sharing functions. Attackers can exploit this weakness to perform session hijacking, capture authentication credentials, and potentially gain elevated privileges within the network environment. The vulnerability's exploitation requires minimal network proximity or interception capabilities, making it particularly dangerous in shared network environments such as corporate offices, public Wi-Fi networks, or home networks with multiple connected devices. Organizations using affected DSM versions face potential data breaches, unauthorized access to sensitive files, and possible lateral movement within their network infrastructure.
The vulnerability aligns with CWE-319, which specifically addresses cleartext transmission of sensitive information, and represents a clear violation of secure communication principles outlined in various cybersecurity frameworks including NIST SP 800-53 and ISO 27001 standards. From an ATT&CK framework perspective, this vulnerability maps to T1046 Network Service Scanning and T1566 Phishing, as attackers can leverage the cleartext transmission to establish malicious network connections and potentially escalate privileges through captured session information. The risk assessment indicates this vulnerability should be prioritized for immediate remediation, as it provides attackers with a straightforward path to compromise network integrity and confidentiality.
Organizations should implement immediate mitigations including upgrading to DSM version 6.2.3-25426-3 or later, which includes proper encryption mechanisms and secure communication protocols. Network administrators should also consider implementing additional security controls such as network segmentation, intrusion detection systems, and monitoring for unusual network traffic patterns that might indicate exploitation attempts. Regular vulnerability assessments and security audits should be conducted to identify similar cleartext transmission vulnerabilities across the entire network infrastructure, ensuring comprehensive protection against this class of attack vectors.