CVE-2017-9552
Last modified
CVE-2017-9552 is a vulnerability of currently unknown severity. A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by "synophoto_dsm_user --auth USERNAME PASSWORD", and local users are able to obtain credentials by sniffing "/proc/*/cmdline".. EPSS estimates a 0.31% chance of exploitation in the next 30 days.
Description
A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by "synophoto_dsm_user --auth USERNAME PASSWORD", and local users are able to obtain credentials by sniffing "/proc/*/cmdline".
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Synology | Photo Station | 6.0-2528 |
| Synology | Photo Station | 6.0-2636 |
| Synology | Photo Station | 6.0-2638 |
| Synology | Photo Station | 6.0-2639 |
| Synology | Photo Station | 6.0-2640 |
| Synology | Photo Station | 6.3-2944 |
| Synology | Photo Station | 6.3-2958 |
| Synology | Photo Station | 6.3-2960 |
| Synology | Photo Station | 6.3-2962 |
| Synology | Photo Station | 6.3-2963 |
| Synology | Photo Station | 6.3-2964 |
| Synology | Photo Station | 6.3-2965 |
| Synology | Photo Station | 6.4-3166 |
| Synology | Photo Station | 6.5.0-3218 |
| Synology | Photo Station | 6.5.1-3223 |
| Synology | Photo Station | 6.5.2-3225 |
| Synology | Photo Station | 6.5.3-3226 |
| Synology | Photo Station | 6.6.0-3339 |
| Synology | Photo Station | 6.6.1-3345 |
| Synology | Photo Station | 6.6.1-3346 |
| Synology | Photo Station | 6.6.2-3346 |
| Synology | Photo Station | 6.6.3-3347 |
| Synology | Photo Station | 6.7.0-3414 |
| Synology | Photo Station | 6.7.1-3419 |
References
- http://blog.crozat.net/2017/06/synology-photostation-password-vulnerabilty.htmlIssue Tracking, Third Party Advisory
- https://www.synology.com/en-global/support/security/Photo_Station_CVE_2017_9552Third Party Advisory
- http://blog.crozat.net/2017/06/synology-photostation-password-vulnerabilty.htmlIssue Tracking, Third Party Advisory
- https://www.synology.com/en-global/support/security/Photo_Station_CVE_2017_9552Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-9552?
How severe is CVE-2017-9552?
How do I fix CVE-2017-9552?
Are you affected by CVE-2017-9552?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST