Software Engineering Institute

CWE-284: Improper Access Control - CVE-2013-6955

Synology DiskStation Manager versions 4.3-3776-3 and below allow a remote unauthenticated user to append arbitrary data to files on the system under root privileges. According to Synology:

Synology File Station in DSM employs a technique called "Slice Upload" to upload files when the file size is over 4GB [in the] Firefox browser. Since this feature is implemented in DSM4.0, all versions of DSM after DSM4.0 are subject to this vulnerability.

To exploit this vulnerability, an attacker needs to send a specially crafted HTTP POST request to /webman/imageSelector.cgi containing the header fields X-TYPE-NAME: SLICEUPLOAD and X-TMP-FILE with the valid path of the file to append malicious code or data.

A remote unauthenticated attacker may be able to execute arbitrary code on the system under root privileges.

Apply an Update

Synology has advised users to upgrade to the latest version of DiskStation Manager (DSM).

For Synology products released in 2008 (x08 series), DSM4.0-2259 has been released to address this issue.
For Synology products released after 2009, DSM4.2-3243 has been released to address this issue for DSM4.2 users. DSM4.3-3810 Update 1 has been released to address this issue for DSM4.3 users.