CVE-2024-47267

Vulnerability

A path traversal vulnerability exists in the Archiving functionality of Synology Surveillance Station. The bug is an improper limitation of a pathname to a restricted directory, enabling limited file write by remote authenticated users with administrator privileges. Affected versions are Surveillance Station before 9.2.2-11575 on DSM 7.2 and 7.1, and before 9.2.2-9575 on DSM 6.2 [1].

Exploitation

An attacker must have remote network access and valid administrator credentials on the Synology Surveillance Station. The exact attack vector is unspecified, but the path traversal occurs in the Archiving Pull capability. With administrator-level access, the attacker can send crafted requests that cause file writes to unintended locations inside or near the restricted archive directory. The limited nature of the file write prevents full control over arbitrary paths [1].

Impact

Successful exploitation allows the attacker to perform limited file write operations outside the intended archive directory. The severity is low (CVSS 2.7) and the impact is constrained to writing specific files within a restricted scope, likely not leading to full compromise [1].

Mitigation

Synology released fixed versions: upgrade Surveillance Station to 9.2.2-11575 for DSM 7.2/7.1, and to 9.2.2-9575 for DSM 6.2. No workaround is disclosed, and the advisory provides no further mitigation steps [1].