Race condition in Synology Photo Station

Published: 2020-10-20

Risk	Medium
Patch available	NO
Number of vulnerabilities	1
CVE-ID	N/A
CWE-ID	CWE-362
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Photo Station Client/Desktop applications / Other client software
Vendor	Synology Inc.

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Race condition

EUVDB-ID: #VU47731

Risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: N/A

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to a race condition in the "SYNOPHOTO_Flickr_MultiUpload" function. A remote authenticated attacker can exploit the race and execute arbitrary code with elevated privileges.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Photo Station: - - 6.8.2-3461

CPE2.3

External links

https://srcincite.io/pocs/src-2018-{0005,0006}.py.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.