Synology Security Advisory SA-22:15 GLPI Disclosed Multiple Remote Access Vulnerabilities

Table of Contents
    Add a header to begin generating the table of contents

    Synology Security Advisor SA-22:15 revealed multiple vulnerabilities that allow remote access to sensitive information, add web scripts, HTML, or inject SQL command(s) via the vulnerable version of GLPI.

    In a security advisory published Sep 16th, 2022, Synology, Inc. disclosed critical vulnerabilities, in the information resource manager add-on GLPI, that impacts their NAS devices.

    The status of the vulnerabilities is currently marked “resolved”. Synology is asking customers to upgrade the affected product.

    Vulnerabilities Listed in the Security Advisory

    The advisory lists six vulnerabilities with severity scores ranging from 9.8 to 3.5.

    User Login Vulnerability to SQL Injection Attack (CVE-2022-35947)

    Severity: Critical

    CVSS3 Base Score: 9.8

    CVSS3 Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Brief Overview:

    Affected versions have been found to be vulnerable to a SQL injection attack which an attacker could leverage to simulate an arbitrary user login. Users are advised to upgrade to version 10.0.3. Users unable to upgrade should disable the `Enable login with external token` API configuration.

    Private Information Defined in GLPI Setup is Exposed (CVE-2022-31143)

    Severity: Moderate

    CVSS3 Base Score: 5.3

    CVSS3 Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

    Brief Overview:

    It was found that in affected versions there is an exposure of private information defined in setup of GLPI (like smtp or cas hosts). Note that passwords are not exposed. Users are advised to upgrade to version 10.0.3. There are no known workarounds for this issue.

    HTML Tags in Global Search Context Not Properly Neutralized (CVE-2022-31187)

    Severity: Moderate

    CVSS3 Base Score: 8.2

    CVSS3 Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H

    Brief Overview:

    Affected versions were found to not properly neutralize HTML tags in the global search context. Users are advised to upgrade to version 10.0.3 to resolve this issue. Users unable to upgrade should disable global search.

    Registration Key Information can be Used to Steal GLPI Administrator Cookie (CVE-2022-35945)

    Severity: Moderate

    CVSS3 Base Score: 7.1

    CVSS3 Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

    Brief Overview:

    Information associated to registration key are not properly escaped in registration key configuration page. They can be used to steal a GLPI administrator cookie. Users are advised to upgrade to 10.0.3. There are no known workarounds for this issue. Workarounds Do not use a registration key created by an untrusted person.

    Request Input can be Used to Access Low-Level API of Plugin Class (CVE-2022-35946)

    Severity: Moderate

    CVSS3 Base Score: 5.5

    CVSS3 Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

    Brief Overview:

    In affected versions request input is not properly validated in the plugin controller and can be used to access low-level API of Plugin class. An attacker can, for instance, alter database data. Attacker must have “General setup” update rights to be able to perform this attack. Users are advised to upgrade to version 10.0.3. Users unable to upgrade should remove the `front/plugin.form.php` script.

    RSS Feeds or External Calendar Vulnerable to SSRF Exploit (CVE-2022-36112)

    Severity: Low

    CVSS3 Base Score: 3.5

    CVSS3 Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

    Brief Overview:

    Usage of RSS feeds or external calendar in planning is subject to SSRF exploit. Server-side requests can be used to scan server port or services opened on GLPI server or its private network. Queries responses are not exposed to end-user (blind SSRF). Users are advised to upgrade to version 10.0.3 to resolve this issue. There are no known workarounds.

    Impacted Synology Product

    The affected product is GLPI (Gestionnaire Libre de Parc Informatique) for DSM 6.2. A resource manager add-on. It is used to build up a database with all the inventory in a company (computer, software, printers, etc.).

    According to the security advisory, Synology customers need to upgrade it to 10.0.3-0146 or above.

    Related Posts