CVE-2017-12074

Name of the Vulnerable Software and Affected Versions Synology DNS Server versions prior to 2.2.1-3042

Description The issue allows remote authenticated attackers to write arbitrary files via the domain name parameter in the SYNO.DNSServer.Zone.MasterZoneConf. This can be exploited by sending a request to a vulnerable API endpoint with a specially crafted domain name parameter.

Recommendations For versions prior to 2.2.1-3042, update to version 2.2.1-3042 or later to resolve the issue. As a temporary workaround, consider restricting access to the SYNO.DNSServer.Zone.MasterZoneConf to minimize the risk of exploitation. Avoid using the domain name parameter in the affected API endpoint until the issue is resolved.