CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-10442

CVSS 10.0v3.1pub. 2025-03-19upd. 2026-01-16

Off-by-one error vulnerability in the transmission component in Synology Replication Service before 1.0.12-0066, 1.2.2-0353 and 1.3.0-0423 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code, potentially leading to a broader impact across the system via unspecified vectors.

🤖 AI Analysis
How it works

An off-by-one error (CWE-193) involves incorrect calculation of a buffer boundary or counter by one element — in this case in the component responsible for data transmission. An attacker can remotely, without any authentication and user interaction, exploit this flaw through unspecified attack vectors, leading to arbitrary code execution. Due to the changed scope (S:C in the CVSS vector), the impact may extend beyond the directly attacked component and affect a broader system context.

Impact

An attacker can execute arbitrary code on a vulnerable device without authentication, potentially leading to complete system takeover and the ability to further spread the attack throughout the infrastructure.

Mitigation & patch

Synology Replication Service must be immediately updated to version 1.0.12-0066, 1.2.2-0353 or 1.3.0-0423 (depending on the used branch) and Synology Unified Controller (DSMUC) to version 3.1.4-23079 or later. Details are available in the vendor's advisory: https://www.synology.com/en-global/security/advisory/Synology_SA_24_22

Who is affected

Synology Replication Service in versions before 1.0.12-0066, before 1.2.2-0353 and before 1.3.0-0423; Synology Unified Controller (DSMUC) in versions before 3.1.4-23079

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Syncology Replication Service

    APP
    Syncology
    < 1.3.0-0423
  • Synology Diskstation Manager

    OS
    Synology
    6.27.17.2
  • Synology Diskstation Manager Unified Controller

    APP
    Synology
    3.1
  • Synology Replication Service

    APP
    Synology
    < 1.2.2-0353≤ 1.0.12-0066
  • Synology Unified Controller

    APP
    Synology
    < 3.1.4-23079
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-45538CRITICAL9.6PL ✓ten sam produkt

CSRF umożliwiający RCE w Synology DiskStation Manager i Unified Controller

CVE-2024-10441CRITICAL9.8PL ✓ten sam produkt

RCE w Synology BeeStation OS i DSM — błąd kodowania wyjścia w systemowym daemonie

CVE-2024-10443CRITICAL9.8PL ✓ten sam produkt

OS Command Injection w Synology BeePhotos i Synology Photos — RCE bez uwierzytelnienia

CVE-2024-29241CRITICAL9.9PL ✓ten sam produkt

Brak autoryzacji w Synology Surveillance Station — zapis konfiguracji i restart NAS

CVE-2022-27625CRITICAL10.0ten sam produkt

A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in ...