PT-2017-19012 · Synology · Synology Photo Station

Frederic Crozat

Published

2017-06-13

Updated

2019-10-09

CVE-2017-9552

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Synology Photo Station versions 6.0-2528 through 6.7.1-3419

Description A design flaw in the authentication mechanism of Synology Photo Station allows local users to obtain credentials. The synophoto dsm user program is used for authentication, and local users can exploit this by sniffing the /proc/*/cmdline to obtain the USERNAME and PASSWORD used in the synophoto dsm user --auth USERNAME PASSWORD command.

Recommendations For Synology Photo Station versions 6.0-2528 through 6.7.1-3419, consider restricting access to the /proc/*/cmdline to minimize the risk of credential exposure until a patch is available.

Fix

Insufficiently Protected Credentials

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522CWE-287

Related Identifiers

CVE-2017-9552

Affected Products

Synology Photo Station

PT-2017-19012 · Synology · Synology Photo Station

CVE-2017-9552

Weakness Enumeration

Related Identifiers

Affected Products

References · 4