search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Synology Cloud Station sync client for OS X allows regular users to claim ownership of system files

Vulnerability Note VU#551972

Original Release Date: 2015-05-26 | Last Revised: 2015-05-27

Overview

The Synology Cloud Station sync client for OS X contains a setuid root executable that allows regular users to claim ownership of system files.

Description

CWE-276: Incorrect Default Permissions - CVE-2015-2851

The Synology Cloud Station sync client for OS X contains an executable named client_chown that allows users to change the ownership of files. However, by default, it is installed as a setuid root executable. This allows any user the ability to change ownership of arbitrary system files, which may be leveraged to gain root privileges and fully compromise the host.

Versions of Synology Cloud Station sync client from 1.1-2291 up to 3.1-3320 are vulnerable.

Impact

A local standard OS X user may gain ownership over arbitrary system files, which may be leveraged to gain root privileges and fully compromise the host.

Solution

Update the client

Synology has released version 3.2-3475, which addresses this issue. According to Synology, "We have removed client_chown in the latest build (3.2-3475) as precaution, even though the impact is concluded to be very low. The client_chown tool was originally designed to ease the upgrade process of the Cloud Station client, and was included starting from build 2291. To achieve this purpose, client_chown was able to change the ownership of certain system files that belong to Cloud Station client."

Affected users are encouraged to update to version 3.2-3475 or later as soon as possible.

Vendor Information

551972
 
Expand all

Synology Affected

Notified:  April 06, 2015 Updated: May 26, 2015

Statement Date:   April 08, 2015

Status

Affected

Vendor Statement

We have removed client_chown in the latest build (3.2-3475) as precaution, even though the impact is concluded to be very low. The client_chown tool was originally designed to ease the upgrade process of the Cloud Station client, and was included starting from build 2291. To achieve this purpose, client_chown was able to change the ownership of certain system files that belong to Cloud Station client.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 6.8 AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal 5.3 E:POC/RL:OF/RC:C
Environmental 1.3 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Jeremy Kemp for reporting this vulnerability to us.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-2851
Date Public: 2015-05-26
Date First Published: 2015-05-26
Date Last Updated: 2015-05-27 13:40 UTC
Document Revision: 50

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis