CVE-2022-27626 - Vulnerability Details - OpenCVE

A vulnerability regarding concurrent execution using shared resource with improper synchronization ('Race Condition') is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Synology	Diskstation Manager Ds3622xs\+ Fs3410 Hd6500

Configuration 1 [-]

AND

cpe:2.3:o:synology:diskstation_manager:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:synology:ds3622xs\+:-:::::::*
	cpe:2.3:h:synology:fs3410:-:::::::*
	cpe:2.3:h:synology:hd6500:-:::::::*

No data.

References

Link	Providers
https://www.synology.com/security/advisory/Synology_SA_22_17

History

Thu, 08 May 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 14 Jan 2025 19:45:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:synology:diskstation_manager::::::::	cpe:2.3:o:synology:diskstation_manager::::::::

MITRE

Status: PUBLISHED

Assigner: synology

Published: 2022-10-20T05:50:10.327Z

Updated: 2025-05-08T13:42:27.475Z

Reserved: 2022-03-21T00:00:00.000Z

Link: CVE-2022-27626

Vulnrichment

Updated: 2024-08-03T05:32:59.212Z

NVD

Status : Modified

Published: 2022-10-20T06:15:11.857

Modified: 2025-01-14T19:29:55.853

Link: CVE-2022-27626

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-27626", "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "assignerShortName": "synology", "datePublished": "2022-10-20T05:50:10.327Z", "dateUpdated": "2025-05-08T13:42:27.475Z", "dateReserved": "2022-03-21T00:00:00.000Z"}, "containers": {"cna": {"datePublic": "2022-10-20T00:00:00.000Z", "providerMetadata": {"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "shortName": "synology", "dateUpdated": "2022-10-20T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability regarding concurrent execution using shared resource with improper synchronization ('Race Condition') is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500."}], "affected": [{"vendor": "Synology", "product": "DiskStation Manager (DSM)", "versions": [{"version": "unspecified", "lessThan": "7.1.1-42962-2", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://www.synology.com/security/advisory/Synology_SA_22_17"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "cweId": "CWE-362"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:32:59.212Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.synology.com/security/advisory/Synology_SA_22_17", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-08T13:42:20.467606Z", "id": "CVE-2022-27626", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T13:42:27.475Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.synology.com/security/advisory/Synology_SA_22_17", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:32:59.212Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-27626", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-08T13:42:20.467606Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T13:42:24.407Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Synology", "product": "DiskStation Manager (DSM)", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "7.1.1-42962-2", "versionType": "custom"}]}], "datePublic": "2022-10-20T00:00:00.000Z", "references": [{"url": "https://www.synology.com/security/advisory/Synology_SA_22_17"}], "descriptions": [{"lang": "en", "value": "A vulnerability regarding concurrent execution using shared resource with improper synchronization ('Race Condition') is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "shortName": "synology", "dateUpdated": "2022-10-20T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-27626", "state": "PUBLISHED", "dateUpdated": "2025-05-08T13:42:27.475Z", "dateReserved": "2022-03-21T00:00:00.000Z", "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "datePublished": "2022-10-20T05:50:10.327Z", "assignerShortName": "synology"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:synology:diskstation_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "E661755F-1521-4315-9E32-615148BAEF78", "versionEndExcluding": "7.1.1-42962-2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:synology:ds3622xs\\+:-:*:*:*:*:*:*:*", "matchCriteriaId": "CBC3E0E3-868D-4A35-A87D-37E0C79A0702", "vulnerable": false}, {"criteria": "cpe:2.3:h:synology:fs3410:-:*:*:*:*:*:*:*", "matchCriteriaId": "0C86BD06-9795-4AF0-9D44-F66D2C555A08", "vulnerable": false}, {"criteria": "cpe:2.3:h:synology:hd6500:-:*:*:*:*:*:*:*", "matchCriteriaId": "B397D029-DBFA-477B-B2ED-CFC4C66821EB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability regarding concurrent execution using shared resource with improper synchronization ('Race Condition') is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad relativa a la ejecuci\u00f3n concurrente usando recursos compartidos con una sincronizaci\u00f3n inapropiada (\"Condici\u00f3n de Carrera\") en la funcionalidad session processing de Out-of-Band (OOB) Management. Esto permite a atacantes remotos ejecutar comandos arbitrarios por medio de vectores no especificados. Los siguientes modelos con Synology DiskStation Manager (DSM) versiones anteriores a 7.1.1-42962-2 pueden estar afectados: DS3622xs+, FS3410 y HD6500"}], "id": "CVE-2022-27626", "lastModified": "2025-01-14T19:29:55.853", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2022-10-20T06:15:11.857", "references": [{"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://www.synology.com/security/advisory/Synology_SA_22_17"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.synology.com/security/advisory/Synology_SA_22_17"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "[email protected]", "type": "Primary"}]}