CVE-2017-15887

Vulnerability

An improper restriction of excessive authentication attempts vulnerability exists in the /principals endpoint of Synology CardDAV Server before version 6.0.7-0085. This allows remote attackers to perform brute-force attacks without any prior authentication or special conditions [1].

Exploitation

An attacker can exploit this vulnerability by sending a high volume of authentication requests to the /principals endpoint from any network-connected location. No authentication or user interaction is required. The attacker systematically guesses or iterates over possible credentials until successful authentication is achieved [1].

Impact

Successful exploitation enables the attacker to obtain user credentials, potentially gaining access to system user accounts. This can lead to unauthorized access to sensitive data (confidentiality) and the ability to modify or delete data (integrity). The CVSS v3 base score is 9.1 (Critical) [1].

Mitigation

The vulnerability is fixed in CardDAV Server version 6.0.7-0085 and later. Users should update via DSM Package Center. No workarounds are available; updating is the only mitigation [1].