PT-2017-12338 · Synology · Synology Dns Server

Published

2017-08-24

Updated

2019-10-09

CVE-2017-12074

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Synology DNS Server versions prior to 2.2.1-3042

Description The issue allows remote authenticated attackers to write arbitrary files via the domain name parameter in the SYNO.DNSServer.Zone.MasterZoneConf. This can be exploited by sending a request to a vulnerable API endpoint with a specially crafted domain name parameter.

Recommendations For versions prior to 2.2.1-3042, update to version 2.2.1-3042 or later to resolve the issue. As a temporary workaround, consider restricting access to the SYNO.DNSServer.Zone.MasterZoneConf to minimize the risk of exploitation. Avoid using the domain name parameter in the affected API endpoint until the issue is resolved.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2017-12074

Affected Products

Synology Dns Server

PT-2017-12338 · Synology · Synology Dns Server

CVE-2017-12074

Weakness Enumeration

Related Identifiers

Affected Products

References · 3