14 DAY TRIAL // The OS X synchronization client for the Cloud Station product from Synology can be used by an attacker to gain root privileges for the storage device and compromise it completely.
Synology Cloud Station is designed as a private cloud solution that can synchronize data across multiple devices (smartphones, computers, tablets) via a local client. It comes with capabilities like file versioning, selective sync, and encryption.
Local user could gain root privileges
The security weakness, reported by Jeremy Kemp, is not caused by a vulnerability in the code used by the product but by incorrect default permissions granted to an executable in the OS X client that allows users to change ownership of the files in the cloud.
In versions of the client starting 1.1-2291 and up to 3.2-3475, “client_chown” executable is installed with setuid (set-user identification) root permission, meaning that anyone accessing it can modify ownership of the files.
“A local standard OS X user may gain ownership over arbitrary system files, which may be leveraged to gain root privileges and fully compromise the host,” explains a security advisory on Tuesday from the CERT (Computer Emergency Readiness Team) division of Carnegie Mellon University.
CVSS severity score calculated at 6.8
Synology addressed the issue by releasing an update ( 3.2-3475) to version 3.2-3475 that comes without “client_chown,” whose purpose was to make upgrading of the Cloud Station client easier.
The company said that the impact of the security flaw is low. CERT calculated the severity score of the glitch, which is now tracked as CVE-2015-2851. As per the CVSS (Common Vulnerability Scoring System) standard, the issue received a rating of 6.8 out of 10.
All affected users are recommended to update their client to build 3.2-3475 or later as soon as possible.
Recently, Synology rolled out a set of updates for other products in their portfolio, namely Photo Station and the DiskStation Manager web-based operating system, fixing more severe vulnerabilities that could grant an attacker full access to the data stored on network attached storage devices.