CVE-2017-9552
Description
A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by "synophoto_dsm_user --auth USERNAME PASSWORD", and local users are able to obtain credentials by sniffing "/proc/*/cmdline".
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| synology | photo_station | 6.0-2528 | |
| synology | photo_station | 6.0-2636 | |
| synology | photo_station | 6.0-2638 | |
| synology | photo_station | 6.0-2639 | |
| synology | photo_station | 6.0-2640 | |
| synology | photo_station | 6.3-2944 | |
| synology | photo_station | 6.3-2958 | |
| synology | photo_station | 6.3-2960 | |
| synology | photo_station | 6.3-2962 | |
| synology | photo_station | 6.3-2963 | |
| synology | photo_station | 6.3-2964 | |
| synology | photo_station | 6.3-2965 | |
| synology | photo_station | 6.4-3166 | |
| synology | photo_station | 6.5.0-3218 | |
| synology | photo_station | 6.5.1-3223 | |
| synology | photo_station | 6.5.2-3225 | |
| synology | photo_station | 6.5.3-3226 | |
| synology | photo_station | 6.6.0-3339 | |
| synology | photo_station | 6.6.1-3345 | |
| synology | photo_station | 6.6.1-3346 | |
| synology | photo_station | 6.6.2-3346 | |
| synology | photo_station | 6.6.3-3347 | |
| synology | photo_station | 6.7.0-3414 | |
| synology | photo_station | 6.7.1-3419 | |
References
- http://blog.crozat.net/2017/06/synology-photostation-password-vulnerabilty.html
- https://www.synology.com/en-global/support/security/Photo_Station_CVE_2017_9552
- http://blog.crozat.net/2017/06/synology-photostation-password-vulnerabilty.html
- https://www.synology.com/en-global/support/security/Photo_Station_CVE_2017_9552
CWEs
CWE-522 CWE-287
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.