Synology Drive Client prior 3.5.0-16084 Backup Task Management out-of-bounds write
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.5 | $0-$5k | 0.00 |
Summary
A vulnerability identified as critical has been detected in Synology Drive Client. This affects an unknown function of the component Backup Task Management. This manipulation causes out-of-bounds write. The identification of this vulnerability is CVE-2022-49039. The attack can only be executed locally. There is no exploit available. You should upgrade the affected component.
Details
A vulnerability was found in Synology Drive Client. It has been declared as critical. Affected by this vulnerability is some unknown functionality of the component Backup Task Management. The manipulation with an unknown input leads to a out-of-bounds write vulnerability. The CWE definition for the vulnerability is CWE-787. The product writes data past the end, or before the beginning, of the intended buffer. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:
Out-of-bounds write vulnerability in backup task management functionality in Synology Drive Client before 3.4.0-15721 allows local users with administrator privileges to execute arbitrary commands via unspecified vectors.
The weakness was shared by Zhao Runzi as SA_24_10. It is possible to read the advisory at synology.com. This vulnerability is known as CVE-2022-49039 since 09/24/2024. The exploitation appears to be easy. Attacking locally is a requirement. Additional levels of successful authentication are needed for exploitation. The technical details are unknown and an exploit is not publicly available.
Upgrading to version 3.5.0-16084 eliminates this vulnerability.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Vendor
Name
License
Website
- Vendor: https://www.synology.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.7VulDB Meta Temp Score: 6.6
VulDB Base Score: 6.7
VulDB Temp Score: 6.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 6.7
CNA Vector (synology): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Out-of-bounds writeCWE: CWE-787 / CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Drive Client 3.5.0-16084
Timeline
09/24/2024 🔍09/26/2024 🔍
09/26/2024 🔍
09/26/2024 🔍
Sources
Vendor: synology.comAdvisory: SA_24_10
Researcher: Zhao Runzi
Status: Confirmed
CVE: CVE-2022-49039 (🔍)
GCVE (CVE): GCVE-0-2022-49039
GCVE (VulDB): GCVE-100-278539
Entry
Created: 09/26/2024 08:26Changes: 09/26/2024 08:26 (65)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.