In this article, we’re going to discuss CVE-2022-27622, which highlights a Server-Side Request Forgery (SSRF) vulnerability found in the Package Center functionality of Synology DiskStation Manager (DSM) before version 7.1-42661. This vulnerability enables remote authenticated users to access sensitive intranet resources using unspecified vectors. We'll cover what SSRF is, how it affects DSM, and delve into the technical details, including code snippets and original references.

SSRF in a Nutshell

Server-Side Request Forgery (SSRF) is a type of security vulnerability that occurs when a server is tricked into making arbitrary HTTP requests to resources that it was not intended to access. SSRF can enable attackers to bypass access controls, perform port scanning, and access sensitive information on internal systems.

Details of the Vulnerability in DSM's Package Center
Synology DiskStation Manager (DSM) is a powerful and flexible NAS operating system, providing robust storage solutions, multimedia, and more. DSM's Package Center is an application store that allows users to download and install various packages for their Synology NAS devices.

The vulnerability (CVE-2022-27622) in question lies within the Package Center functionality of DSM versions before 7.1-42661. By exploiting this vulnerability, a remote authenticated user can gain unauthorized access to an organization's internal network resources.

References

Original advisory from Synology: link to the advisory

National Vulnerability Database (NVD) entry: link to NVD

Technical Details

To demonstrate the exploit, let's examine a simplified code snippet to showcase how the SSRF vulnerability works:

@app.route("/package_center/request", methods=["POST"])
def package_center_request():
    url = request.form.get("url")
    token = request.form.get("token")

    if not authenticate(token):
        return "Invalid token", 403

    try:
        response = requests.get(url)  # SSRF vulnerable line
        return response.content
    except Exception as e:
        return str(e)

In this code snippet, a web application exposes an endpoint /package_center/request that requires an authenticated token to access. Once authenticated, the application makes an HTTP GET request for the desired URL. The vulnerability lies in the fact that there is no validation or restriction on the URL input, which leaves the application open to SSRF attacks.

Exploit

An attacker could exploit this vulnerability by sending a crafted HTTP POST request containing the internal resource's URL and their token:

POST /package_center/request HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

url=http://internal-resource.local&token=attacker_token

If the token is valid, the server will send an HTTP request to the specified URL (http://internal-resource.local) and return its content to the attacker, giving them unauthorized access to the internal resource.

Mitigation

Synology has released a patch to address this vulnerability in Synology DiskStation Manager. It is highly recommended to update DSM to the latest version (7.1-42661) by visiting Synology Download Center and choose your product model to download the latest DSM.

Always ensure your systems are up-to-date by applying security patches and updates regularly. Additionally, closely monitor your internal and external network traffic for any suspicious activities.

Conclusion

This long-read post has examined CVE-2022-27622, an SSRF vulnerability in Synology DSM's Package Center functionality. We have discussed the technical aspects of the vulnerability in detail and provided advice on how to mitigate it. By understanding and addressing these vulnerabilities, organizations can strengthen their security posture and reduce the risk of unauthorized access to their sensitive intranet resources.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 16:34:00 UTC