Synology Security Advisory SA-22:15 GLPI Disclosed Multiple Remote Access Vulnerabilities

Written by Andrew Doyle

December 26, 2023

Synology Security Advisor SA-22:15 revealed multiple vulnerabilities that allow remote access to sensitive information, add web scripts, HTML, or inject SQL command(s) via the vulnerable version of GLPI.

In a security advisory published Sep 16th, 2022, Synology, Inc. disclosed critical vulnerabilities, in the information resource manager add-on GLPI, that impacts their NAS devices.

The status of the vulnerabilities is currently marked “resolved”. Synology is asking customers to upgrade the affected product.

Vulnerabilities Listed in the Security Advisory

The advisory lists six vulnerabilities with severity scores ranging from 9.8 to 3.5.

User Login Vulnerability to SQL Injection Attack (CVE-2022-35947)

Severity: Critical

CVSS3 Base Score: 9.8

CVSS3 Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Brief Overview:

Affected versions have been found to be vulnerable to a SQL injection attack which an attacker could leverage to simulate an arbitrary user login. Users are advised to upgrade to version 10.0.3. Users unable to upgrade should disable the `Enable login with external token` API configuration.

Private Information Defined in GLPI Setup is Exposed (CVE-2022-31143)

Severity: Moderate

CVSS3 Base Score: 5.3

CVSS3 Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Brief Overview:

It was found that in affected versions there is an exposure of private information defined in setup of GLPI (like smtp or cas hosts). Note that passwords are not exposed. Users are advised to upgrade to version 10.0.3. There are no known workarounds for this issue.

HTML Tags in Global Search Context Not Properly Neutralized (CVE-2022-31187)

Severity: Moderate

CVSS3 Base Score: 8.2

CVSS3 Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H

Brief Overview:

Affected versions were found to not properly neutralize HTML tags in the global search context. Users are advised to upgrade to version 10.0.3 to resolve this issue. Users unable to upgrade should disable global search.

Registration Key Information can be Used to Steal GLPI Administrator Cookie (CVE-2022-35945)

Severity: Moderate

CVSS3 Base Score: 7.1

CVSS3 Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Brief Overview:

Information associated to registration key are not properly escaped in registration key configuration page. They can be used to steal a GLPI administrator cookie. Users are advised to upgrade to 10.0.3. There are no known workarounds for this issue. Workarounds Do not use a registration key created by an untrusted person.

Request Input can be Used to Access Low-Level API of Plugin Class (CVE-2022-35946)

Severity: Moderate

CVSS3 Base Score: 5.5

CVSS3 Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

Brief Overview:

In affected versions request input is not properly validated in the plugin controller and can be used to access low-level API of Plugin class. An attacker can, for instance, alter database data. Attacker must have “General setup” update rights to be able to perform this attack. Users are advised to upgrade to version 10.0.3. Users unable to upgrade should remove the `front/plugin.form.php` script.

RSS Feeds or External Calendar Vulnerable to SSRF Exploit (CVE-2022-36112)

Severity: Low

CVSS3 Base Score: 3.5

CVSS3 Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

Brief Overview:

Usage of RSS feeds or external calendar in planning is subject to SSRF exploit. Server-side requests can be used to scan server port or services opened on GLPI server or its private network. Queries responses are not exposed to end-user (blind SSRF). Users are advised to upgrade to version 10.0.3 to resolve this issue. There are no known workarounds.

Impacted Synology Product

The affected product is GLPI (Gestionnaire Libre de Parc Informatique) for DSM 6.2. A resource manager add-on. It is used to build up a database with all the inventory in a company (computer, software, printers, etc.).

According to the security advisory, Synology customers need to upgrade it to 10.0.3-0146 or above.

 

Related Articles

Daixin Ransomware Claims Omni Hotels Cyberattack

Daixin Ransomware Claims Omni Hotels Cyberattack

The Daixin Team ransomware gang has taken responsibility for a recent cyberattack on Omni Hotels & Resorts and is currently issuing threats to publish sensitive customer information unless a ransom is paid. This development comes after the hotel chain experienced...

Stay Up to Date With The Latest News & Updates

Join Our Newsletter

 

Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!