An out-of-bounds read vulnerability exists in the RS-274X aperture macro outline primitive functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and the forked version of Gerbv (commit d7f42a9a). A specially-crafted Gerber file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2021-40400: TALOS-2021-1413 || Cisco Talos Intelligence Group

A heap-based buffer overflow vulnerability exists in the sphere.c start_read() functionality of Sound Exchange libsox 14.4.2 and master commit 42b3557e. A specially-crafted file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

A heap-based buffer overflow vulnerability exists in the sphere.c start\_read() functionality of Sound Exchange libsox 14.4.2 and master commit 42b3557e. A specially-crafted file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

Sound Exchange libsox 14.4.2  
Sound Exchange libsox master commit 42b3557e

**Product URLs**

libsox - http://sox.sourceforge.net/Main/HomePage

**CVSSv3 Score**

10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**Details**

Libsox is a well-aged library used for cross-platform audio editing software, originally written in 1991. After decades of development, a wide range of file formats are supported, including .wav, .flac, and .mp3 (with the aid of an external library).

Out of the multitude of file formats that Sound Exchange’s libsox can deal with, today we discuss the extremely obscure NIST Speech Header Resources (SPHERE) file format, which apparently is used for speech recognition. But regardless of the purpose, libsox will still process a given file as a `.sph` assuming that the file header matches:

     static char const * auto_detect_format(sox_format_t * ft, char const * ext)
    {
      char data[AUTO_DETECT_SIZE];
      size_t len = lsx_readbuf(ft, data, ft->seekable? sizeof(data) : PIPE_AUTO_DETECT_SIZE);
      #define CHECK(type, p2, l2, d2, p1, l1, d1) if (len >= p1 + l1 && \
          !memcmp(data + p1, d1, (size_t)l1) && !memcmp(data + p2, d2, (size_t)l2)) return #type;
      // [...]
      CHECK(sph   , 0, 0, ""     , 0,  7, "NIST_1A")
    

This `auto_detect_format` will be hit from either `sox_open_mem_read` or `sox_open_read`, but only if the filetype is not specified by the arguments. Either way, since it’s possible to hit the processing in `sphere.c` via autodetection, let us look at the `start_read` function for the SPHERE file format:

    static int start_read(sox_format_t * ft)
    {
      unsigned long header_size_ul = 0, num_samples_ul = 0;   
      size_t     header_size, bytes_read;  
      // [...]
      char           fldname[64], fldtype[16], fldsval[128];
      char           * buf;
    
      /* Magic header */
      if (lsx_reads(ft, fldname, (size_t)8) || strncmp(fldname, "NIST_1A", (size_t)7) != 0) {   // [1]
        lsx_fail_errno(ft, SOX_EHDR, "Sphere header does not begin with magic word `NIST_1A'");
        return (SOX_EOF);
      }
    
      if (lsx_reads(ft, fldsval, (size_t)8)) {                                                  // [2]
        lsx_fail_errno(ft, SOX_EHDR, "Error reading Sphere header");
        return (SOX_EOF);
      }
    
      /* Determine header size, and allocate a buffer large enough to hold it. */
      sscanf(fldsval, "%lu", &header_size_ul);                                                  // [3]
      if (header_size_ul < 16) {
        lsx_fail_errno(ft, SOX_EHDR, "Error reading Sphere header");
        return (SOX_EOF);
      }
    
      buf = lsx_malloc(header_size = header_size_ul);                                           // [4]
    

So far the code is pretty standard. We read eight bytes at \[1\], make sure the “NIST\_1A” magic bytes are there, and then read another eight bytes at \[2\], this time populating them into the `unsigned long header_size_ul` at \[3\]. At \[4\], we then allocate a buffer of that size. Again, pretty standard. Continuing on:

      /* Skip what we have read so far */
      header_size -= 16;
    
      if (lsx_reads(ft, buf, header_size) == SOX_EOF) {       // [5]
        lsx_fail_errno(ft, SOX_EHDR, "Error reading Sphere header");
        free(buf);
        return (SOX_EOF);
      }
    
      header_size -= (strlen(buf) + 1);
    

At \[5\] we see the main function used for reading our input buffer, `lsx_reads`. Suffice to say, this function is essentially `fgets` (although I’m not actually sure which function has seniority), and `buf` will contain a new line of text from our input buffer every time `lsx_reads` is called. We now finally reach our main processing loop:

      while (strncmp(buf, "end_head", (size_t)8) != 0) {    // [6]
      
        if (strncmp(buf, "sample_n_bytes", (size_t)14) == 0)
          sscanf(buf, "%63s %15s %u", fldname, fldtype, &bytes_per_sample);
        else if (strncmp(buf, "channel_count", (size_t)13) == 0)
          sscanf(buf, "%63s %15s %u", fldname, fldtype, &channels);
          // [...] 
          else {
            lsx_fail_errno(ft, SOX_EFMT, "sph: unsupported coding `%s'", fldsval);
            free(buf);
            return SOX_EOF;
          }
        }
        else if (strncmp(buf, "sample_byte_format", (size_t)18) == 0) {
          sscanf(buf, "%53s %15s %127s", fldname, fldtype, fldsval);
          if (strcmp(fldsval, "01") == 0)         /* Data is little endian. */
            ft->encoding.reverse_bytes = MACHINE_IS_BIGENDIAN;
          else if (strcmp(fldsval, "10") == 0)    /* Data is big endian. */
            ft->encoding.reverse_bytes = MACHINE_IS_LITTLEENDIAN;
          else if (strcmp(fldsval, "1")) {
            lsx_fail_errno(ft, SOX_EFMT, "sph: unsupported coding `%s'", fldsval);
            free(buf);
            return SOX_EOF;
          }
        }
    
        if (lsx_reads(ft, buf, header_size) == SOX_EOF) {   // [7]
          lsx_fail_errno(ft, SOX_EHDR, "Error reading Sphere header");
          free(buf);
          return (SOX_EOF);
        }
    
        header_size -= (strlen(buf) + 1); 
    

At \[6\], we can see that we’re looping until a `end_head` header is found, but in the meantime, we search for various headers in the file (e.g. `"channel_count"`, `"sample_byte_format"`, etc.). After going through the specific buffer line, we read a new one in at \[7\], then subtract the length of our new buffer plus one at \[8\]. The `+ 1` compensates for the `\n` or `\x00` bytes that delimit the headers of our file.

But let’s examine a situation in which we provide a file that does not contain a valid `end_head` header:

      while (strncmp(buf, "end_head", (size_t)8) != 0) {  // [6]
      
        if (strncmp(buf, "sample_n_bytes", (size_t)14) == 0)
          sscanf(buf, "%63s %15s %u", fldname, fldtype, &bytes_per_sample);
        else if (strncmp(buf, "channel_count", (size_t)13) == 0)
            // [...]
        }
    
        if (lsx_reads(ft, buf, header_size) == SOX_EOF) { // [7] 
          lsx_fail_errno(ft, SOX_EHDR, "Error reading Sphere header");
          free(buf);
          return (SOX_EOF);
        }
    
        header_size -= (strlen(buf) + 1); 
    

At \[6\] again, we start our loop, which eventually processes our header strings inside, but then at \[7\] the next header is read via `lsx_reads`. A quick look at `lsx_reads` reveals an important detail:

    int lsx_reads(sox_format_t * ft, char *c, size_t len)
    {
        char *sc;
        char in;
    
        sc = c;
        do  // [8]
        {
            if (lsx_readbuf(ft, &in, (size_t)1) != 1)
            {
                *sc = 0;
                return (SOX_EOF);
            }
            if (in == 0 || in == '\n')
                break;
    
            *sc = in;
            sc++;
        } while (sc - c < (ptrdiff_t)len);  // [9]
        *sc = 0;
        return(SOX_SUCCESS);
    }
    

Since `lsx_reads` utilizes a `do`/`while` loop (\[8\], \[9\]), even though the conditional at \[9\] depends on a less-than sign and not a less-than-equals-to sign. If our input `len` parameter is 22, then 22 bytes of data are copied over, followed by the null byte write. So in effect, 23 bytes of data get written from a 22 byte len, which is an off-by-one. Curiously, in spite of `lsx_reads` ubiquitous usage in libsox, all the other call sites compensate for this off-by-one, usually with a `-1` to the input `len` parameter when calling. However, in the `sphere.c` code, we see a different compensation:

        if (lsx_reads(ft, buf, header_size) == SOX_EOF) {   // [10]
          lsx_fail_errno(ft, SOX_EHDR, "Error reading Sphere header");
          free(buf);
          return (SOX_EOF);
        }
    
        header_size -= (strlen(buf) + 1);                   // [11]
    

At \[11\], we can see that an extra byte is subtracted from our `header_size` parameter to compensate for the off-by-one in `lsx_reads`. Thus, if the `header_size` is 22 and our next buffer is read in, `lsx_reads` will stop at 22 bytes (regardless of the length of the rest of the buffer). Then we subtract 23 from `header_size`, resulting in an integer underflow.

With regards to exploitation: While normally such a situation might result in a wild copy (i.e. we couldn’t stop the bug from writing into things we don’t want it to and crashing), we’re bailed out by the overall structure of this function. We’d simply have our next read be our overflow string of any size that we wanted, and then the following read just being `"end_head"`. This would allow us to arbitrarily overwrite data on the heap while also allowing us to continue into the code to actually utilize the heap overflow.

**Crash Information**

    ==778467==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000000ba at pc 0x0000004bea6e bp 0x7ffeacb7c950 sp 0x7ffeacb7c118
    WRITE of size 203 at 0x6060000000ba thread T0
        #0 0x4bea6d in __interceptor_fread (/doop/boop/sox/triage_built/fuzz_sox.bin+0x4bea6d)
        #1 0x7ff5dc360ea7 in lsx_readbuf /doop/boop/sox/triage_built/triage_sox/src/formats_i.c:98:16
        #2 0x7ff5dc4b9bc0 in start_read /doop/boop/sox/triage_built/triage_sox/src/sphere.c:119:18
        #3 0x7ff5dc46c864 in open_read /doop/boop/sox/triage_built/triage_sox/src/formats.c:545:32
        #4 0x7ff5dc46d2bb in sox_open_mem_read /doop/boop/sox/triage_built/triage_sox/src/formats.c:595:10
        #5 0x55623a in LLVMFuzzerTestOneInput /doop/boop/sox/./fuzz_sox_harness.cpp:51:10
        #6 0x456ff3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
        #7 0x442b32 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
        #8 0x448a5b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
        #9 0x471ef2 in main (/doop/boop/sox/triage_built/fuzz_sox.bin+0x471ef2)
        #10 0x7ff5dbfa1fcf in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #11 0x7ff5dbfa207c in __libc_start_main csu/../csu/libc-start.c:409:3
        #12 0x41f7a4 in _start (/doop/boop/sox/triage_built/fuzz_sox.bin+0x41f7a4)
    
    0x6060000000ba is located 0 bytes to the right of 58-byte region [0x606000000080,0x6060000000ba)
    allocated by thread T0 here:
        #0 0x521d83 in __interceptor_realloc (/doop/boop/sox/triage_built/fuzz_sox.bin+0x521d83)
        #1 0x7ff5dc47b388 in lsx_realloc /doop/boop/sox/triage_built/triage_sox/src/xmalloc.c:37:14
        #2 0x7ff5dc4b9376 in start_read /doop/boop/sox/triage_built/triage_sox/src/sphere.c:55:9
        #3 0x7ff5dc46c864 in open_read /doop/boop/sox/triage_built/triage_sox/src/formats.c:545:32
        #4 0x7ff5dc46d2bb in sox_open_mem_read /doop/boop/sox/triage_built/triage_sox/src/formats.c:595:10
        #5 0x55623a in LLVMFuzzerTestOneInput /doop/boop/sox/./fuzz_sox_harness.cpp:51:10
        #6 0x456ff3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
        #7 0x442b32 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
        #8 0x448a5b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
        #9 0x471ef2 in main (/doop/boop/sox/triage_built/fuzz_sox.bin+0x471ef2)
        #10 0x7ff5dbfa1fcf in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/doop/boop/sox/triage_built/fuzz_sox.bin+0x4bea6d) in __interceptor_fread
    Shadow bytes around the buggy address:
      0x0c0c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c0c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c0c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
    =>0x0c0c7fff8010: 00 00 00 00 00 00 00[02]fa fa fa fa fa fa fa fa
      0x0c0c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
    
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==692318==ABORTING
    

**Timeline**

2021-12-22 - Initial contact  
2022-01-14 - Follow up with vendor; vendor acknowledged  
2022-03-23 - Vendor disclosure  

Discovered by Lilith of Cisco Talos.

CVE-2021-40426: TALOS-2021-1434 || Cisco Talos Intelligence Group

An out-of-bounds write vulnerability exists in the parse_raster_data functionality of Accusoft ImageGear 19.10. A specially-crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2021-40398: TALOS-2021-1411 || Cisco Talos Intelligence Group

An authentication bypass vulnerability exists in the Web Application functionality of Moxa MXView Series 3.2.4. A specially-crafted HTTP request can lead to unauthorized access. An attacker can send an HTTP request to trigger this vulnerability.

**Summary**

An authentication bypass vulnerability exists in the Web Application functionality of Moxa MXView Series 3.2.4. A specially-crafted HTTP request can lead to unauthorized access. An attacker can send an HTTP request to trigger this vulnerability.

**Tested Versions**

Moxa MXView Series 3.2.4

**Product URLs**

MXView Series - https://www.moxa.com/en/products/industrial-network-infrastructure/network-management-software/mxview-series

**CVSSv3 Score**

10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-798 - Use of Hard-coded Credentials

**Details**

Moxa’s MXview network management software is designed for configuring, monitoring, and diagnosing networking devices in industrial networks. MXview provides an integrated management platform that can discover networking devices and SNMP/IP devices installed on subnets. All selected network components can be managed via a web browser from both local and remote sites—anytime and anywhere.

The default installation of MXview adds an undocumented service listening on port 4430 which accepts authentication using admin:moxa with no obvious or documented way to change or disable this access. Changing the admin user’s password via a different service, such as the web application on ports 80/443, does not change the password for the service on port 4430 (referred to as the “polling engine port” during installation). There does not appear to be a “change password” function for this service.

Logging in to this service with these credentials provides administrator access to the MXview application’s functionality.

**Timeline**

2021-10-20 - Vendor disclosure  
2022-02-11 - Public Release  

Discovered by Patrick DeSantis of Cisco Talos.

CVE-2021-40390: TALOS-2021-1401 || Cisco Talos Intelligence Group

Patches released for Nexus Dashboard Fabric Controller vulnerabilities

Cisco software update blocks exploit chain in network management software

Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.

**Abstract**

Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of DiskStation Manager (DSM).

**Affected Products**

Product

Severity

Fixed Release Availability

DSM 6.2

Important

Upgrade to 6.2.3-25426-3 or above.

DSM UC

Critical

Upgrade to 3.1-23033 or above.

SkyNAS

Critical

Pending

VS960HD

Critical

Pending

**Mitigation**

None

**Detail**

*   CVE-2021-26569
    
    *   Severity: Critical
    *   CVSS3 Base Score: 9.8
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    *   Race Condition within a Thread vulnerability in iscsi\_snapshot\_comm\_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
*   CVE-2021-27646
    
    *   Severity: Critical
    *   CVSS3 Base Score: 9.8
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    *   Use After Free vulnerability in iscsi\_snapshot\_comm\_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
*   CVE-2021-27647
    
    *   Severity: Critical
    *   CVSS3 Base Score: 9.8
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    *   Out-of-bounds Read vulnerability in iscsi\_snapshot\_comm\_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
*   CVE-2021-27649
    
    *   Severity: Critical
    *   CVSS3 Base Score: 9.8
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    *   Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
*   CVE-2021-26560
    
    *   Severity: Critical
    *   CVSS3 Base Score: 9.0
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    *   Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
*   CVE-2021-26561
    
    *   Severity: Critical
    *   CVSS3 Base Score: 9.0
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    *   Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno\_finder\_site HTTP header.
*   CVE-2021-26562
    
    *   Severity: Critical
    *   CVSS3 Base Score: 9.0
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    *   Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno\_finder\_site HTTP header.
*   CVE-2021-26564
    
    *   Severity: Important
    *   CVSS3 Base Score: 8.3
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    *   Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
*   CVE-2021-26565
    
    *   Severity: Important
    *   CVSS3 Base Score: 8.3
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    *   Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session.
*   CVE-2021-26566
    
    *   Severity: Important
    *   CVSS3 Base Score: 8.3
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    *   Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic.
*   CVE-2021-26567
    
    *   Severity: Important
    *   CVSS3 Base Score: 8.8
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    *   Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7 allow local attackers to execute arbitrary code via filename and pathname options.
*   CVE-2021-29083
    
    *   Severity: Important
    *   CVSS3 Base Score: 7.2
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    *   Improper neutralization of special elements used in an OS command in SYNO.Core.Network.PPPoE in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote authenticated users to execute arbitrary code via realname parameter.
*   CVE-2021-29084
    
    *   Severity: Important
    *   CVSS3 Base Score: 7.5
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    *   Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
*   CVE-2021-29085
    
    *   Severity: Important
    *   CVSS3 Base Score: 8.6
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    *   Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
*   CVE-2021-29087
    
    *   Severity: Important
    *   CVSS3 Base Score: 7.5
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
    *   Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors.
*   CVE-2021-31439
    
    *   Severity: Important
    *   CVSS3 Base Score: 8.8
    *   CVSS3 Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    *   This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authentication is not required to exploit this vulnerablity. The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-12326.
*   CVE-2021-29086
    
    *   Severity: Moderate
    *   CVSS3 Base Score: 5.3
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    *   Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.

**Acknowledgement**

*   Justin Taft (@oneupsecurity) working with Trend Micro’s Zero Day Initiative
    
*   Claudio Bozzato of Cisco Talos
    
*   DEVCORE working with Trend Micro’s Zero Day Initiative
    
*   STARLabs working with Trend Micro’s Zero Day Initiative
    
*   ddaa of TrapaSecurity
    
*   Chanyoung So
    

**Reference**

*   CVE-2021-26569
*   CVE-2021-27646
*   CVE-2021-27647
*   CVE-2021-27649
*   CVE-2021-26560
*   CVE-2021-26561
*   CVE-2021-26562
*   CVE-2021-26564
*   CVE-2021-26565
*   CVE-2021-26566
*   CVE-2021-26567
*   CVE-2021-29083
*   CVE-2021-29084
*   CVE-2021-29085
*   CVE-2021-29087
*   CVE-2021-31439
*   CVE-2021-29086

**Revision**

Revision

Date

Description

1

2020-11-26

Initial public release.

2

2021-02-02

Update the Acknowledgement

3

2021-02-03

Update the Acknowledgement

4

2021-04-09

Disclosed vulnerability details.

5

2021-06-01

Update for DSM UC is now available in Affected Products.

6

2021-06-24

Disclosed vulnerability details.

CVE-2022-22687: Synology_SA_20_26 | Synology Inc.

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

CVE-2022-24302: Changelog — Paramiko documentation

SmartBear CodeCollaborator v6.1.6102 was discovered to contain a vulnerability in the web UI which would allow an attacker to conduct a clickjacking attack.

NEW SmartBear Connect registration is open for Boston and London — sign up now for free

**With rapid transformation comes risk. Make sure your software works when it's needed most.**

*   API LifecycleStay ahead of the development curve
*   Test AutomationIncrease your test coverage
*   Performance TestingBe ready for high-traffic moments
*   Test Management + BDDMove forward with confidence

More APls. More problems.

If you build APIs without standards, when your demand goes up, so does risk. And you still need to keep track of them.

A better start and finish.

With standards and testing in place, high quality comes faster. And with monitoring, you’ll know of issues before customers do.

Manual testing will always be.

Automation can’t cover everything. But as Agile and DevOps continue to grow, timelines shorten. So what’s the best way to use test automation?

Identify errors faster.

Test automation’s role is to help you assure quality amongst constant change. The best tools seamlessly fall in step with your current process, then elevate it.

Load testing is a hurdle.

It's essential, but time-consuming. And tempting to skip. But even if your app is perfect 99% of the time, it's the 1% everyone remembers.

Avoid the crash.

Real-life heavy loads aren't "if." They're "when." Fortunately, load testing is faster and easier than it used to be. Our tools adhere to your process and reveal the true bottlenecks.

What we recommend:

 

Too much data binds you.

Between all the test data and people involved, deciding how to start a project can be paralyzing.

Clear the path.

Gain a better idea of what your project goals can be with our test management and BDD tools. They’ll help guide your decisions and get the best out of everyone’s time.

Plug & Play

**Click a tool – see how we integrate**

SmartBear tools work great together and on their own. They’re also open to whatever tools you’re already using. Add them to your process and it’ll take you to a whole new level of operation.

Customer Stories

**Driving growth – big & small**

*   
*   
*   
*   
*   
*   
*   
*   

American Red Cross

The Red Cross sharepoint site was overloaded with traffic during disasters, crippling its information feed within the organization at critical times. AlertSite instantly helped, notifying them of intranet issues so **they could focus more on their real jobs — saving lives**.

Products Used:

Cisco Systems

A geographically distributed team needed a solid communication way to review code. Collaborator — with its intuitive interface and ease of use — was a game changer. Before, only a fraction of code was reviewed, with everyone required to be in the same location. **Now reviewing code is efficient, easy, and frequent**.

Products Used:

TBC Bank

TBC Bank needed an automation tool that would help them reduce the time it took to prep test cases. TestComplete's easy script creation allowed their team of **non-developers to create scripts** in no time. Discover more about boosting team efficiency with script and scriptless test creation.

Products Used:

Triquestra

This omnichannel specialist needed a seamless customer experience. We helped them incorporate Design-First strategies and automation. **APIs are now easier for partners to consume, while regression cycles shortened from days to hours.**

Products Used:

  

Adidas

World-renowned sportswear company actively manages over 400 APIs. Their goal is an API- and design-first approach to speed up delivery, so they chose SwaggerHub. Now they have a **central platform for all of their API contracts**, and a tool that integrates seamlessly across their API lifecycle.

Products Used:

Flowbird

Company had to integrate all Helsinki transportation (buses, trams, metros, local railways, ferries) for commuters. With 8 teams in 3 countries, they needed a deeper level of collaboration. CucumberStudio with BDD created standardized terminology, living documentation, and **fit 3,300+ functional tests into only 1,700 steps**.

Products Used:

Honda

The leading auto manufacturer relied on Excel docs for managing test cases for their factories. They had problems with consistency, deadlines, and linking with other locations. Zephyr Squad helped them **sync up, running 545 test cases across the world**, and collaborating in a way they never thought possible.

Products Used:

Mozilla

For a mobile browser, Mozilla needed a full set of tests on a variety of physical phones. The first tests didn't go well. With BitBar, they set up a fast, reliable, and repeatable process for tests, **shrinking a 75-hour test cycle down to 5 hours**.

Products Used:

Trusted By

Featured Products

**Easy to try. Easy to use.**

6.  TestComplete Functional Testing
    

 AlertSite Monitoring

Keep an eye on applications without thinking about them.

Monitor your websites, web apps, and APIs from all over the world, and even within your private networks.

 Collaborator Peer Review

Review code together, even when you’re a world apart.

The easiest, most efficient way to review code and documents for development teams that take quality seriously.

 Cucumber BDD

Quality software, the way it was envisioned.

BDD has revolutionized how organizations build software. Cucumber provides a platform to succeed with it.

 ReadyAPI API Testing

End-to-end quality within your CI/CD pipeline.

Create and execute automated tests in one centralized interface, and speed up API quality for your Agile or DevOps software team.

 Swagger API Design

A single source of truth for your API development.

Making business goals happen starts with standardizing your API development. And with consistency, you get quality and speed.

 TestComplete Functional Testing

Make your automated testing automatic quality.

Ensure the quality of your application without sacrificing speed or agility with an easy-to-use, GUI test automation tool.

 Zephyr Test Management

Get the true insights from your testing.

An easier way to dig through the overwhelming amount of dashboard data so you can plan, develop, and execute all of your tests better — in a way that's easy to report.

Previous Next

Press Release

SmartBear Announces SmartBear Connect, A Hybrid In-person...

Read More

**FAQ****Got questions? We’ve got answers.**

*   There are so many solutions out there, it’s paralyzing to know where to start. Our advantage? Our range and emphasis on quality. Any company, of any size, of any maturity, doesn’t have to make hard decisions – they can just start with us.
    
    The SmartBear selection of tools run the full gamut of the software development lifecycle, all of which place quality at a premium. We work with just about anything else in your tech stack, plus our tools are designed to work especially well with each other.
    
*   Why is quality such a big deal?
    
    Because 1) if it doesn't work well, then it doesn't work at all. And 2) the complexity of applications isn't going anywhere but up. Quality is what determines whether or not software works. We've all done it: you download an app, it freezes for 2 seconds, so you delete it and move on. If you don't have time for lousy quality, then neither do your customers. The entire world depends on technology, and that fact gets stronger by the day. Quality is essential.
    
*   Does test automation replace manual testing?
    
    Manual testing will probably never go away, because every piece of software has its own idiosyncrasies that require more creative types of testing or exploration. But test automation is there to handle the massive amounts of testing that would otherwise be long, tedious, and prone to error. When software was simpler, manual testing could usually cover it, no problem. But think of the differences between websites in the '90s and now. Now apply that to the rest of the world. To compete with the inherent complexity of today's technology requires test automation.
    
*   How do I start towards automation?
    
    For such a momentous occasion, we've created the Test Automation Starter Kit, which will escort you exactly where you're looking to go.
    
*   Doesn't automation negatively affect quality?
    
    There's an old saying that came out when test automation first started: "Test automation enables you to release bad software faster than ever before." It's a saying we're all well aware of here. That's why every tool we have is guided by the mantra "quality first." Bad tests get bad results, so what's the point of testing if it's not testing the correct things?
    
*   What kind of free resources do you have available?
    
    Glad you asked. We have free training for all of our tools, a passionate online community where other members will be glad to help you with any specific issues, and even an ROI calculator that gives you the numbers on why code review can only help.
    
*   What kind of techniques can help my team with collaboration?
    
    You should check out the concept of behavior-driven development, which has revolutionized the process by which teams work together and develop software.
    
*   How do you help customers with DevOps?
    
    We start with the knowledge that DevOps is more than just a set of tools and practices that help teams work together. It's a journey. And you can start that journey here.
    

**And an online community to back you up.**

Our solutions don't just come from inside the building. We've got help.

1M Members Strong

180K Posts

10K+ Companies

180 Countries

**Products**

**Additional Links**

CVE-2021-41657: SmartBear Software - Quality isn’t just a goal. It’s the whole point.

NEW SmartBear Launches Global ESG Initiative to Foster Social Responsibility

**With rapid transformation comes risk. Make sure your software works when it's needed most.**

*   API LifecycleStay ahead of the development curve
*   Test AutomationIncrease your test coverage
*   Performance TestingBe ready for high-traffic moments
*   Test Management + BDDMove forward with confidence

More APls. More problems.

If you build APIs without standards, when your demand goes up, so does risk. And you still need to keep track of them.

A better start and finish.

With standards and testing in place, high quality comes faster. And with monitoring, you’ll know of issues before customers do.

What we recommend:

![](http://smartbear.com/smartbearbrand/media/images/logos/icons/swh_icon-clr.svg) ![](http://smartbear.com/smartbearbrand/media/images/logos/icons/ra_icon-clr.svg)

Manual testing will always be.

Automation can’t cover everything. But as Agile and DevOps continue to grow, timelines shorten. So what’s the best way to use test automation?

Identify errors faster.

Test automation’s role is to help you assure quality amongst constant change. The best tools seamlessly fall in step with your current process, then elevate it.

Load testing is a hurdle.

It's essential, but time-consuming. And tempting to skip. But even if your app is perfect 99% of the time, it's the 1% everyone remembers.

Avoid the crash.

Real-life heavy loads aren't "if." They're "when." Fortunately, load testing is faster and easier than it used to be. Our tools adhere to your process and reveal the true bottlenecks.

What we recommend:

![](http://smartbear.com/smartbearbrand/media/images/logos/icons/ln_icon-clr.svg) ![](http://smartbear.com/smartbearbrand/media/images/logos/icons/lp_icon-clr.svg)

Too much data binds you.

Between all the test data and people involved, deciding how to start a project can be paralyzing.

Clear the path.

Gain a better idea of what your project goals can be with our test management and BDD tools. They’ll help guide your decisions and get the best out of everyone’s time.

Plug & Play

**Click a tool – see how we integrate**

SmartBear tools work great together and on their own. They’re also open to whatever tools you’re already using. Add them to your process and it’ll take you to a whole new level of operation.

Customer Stories

**Driving growth – big & small**

*   
*   
*   
*   
*   
*   
*   
*   

American Red Cross

The Red Cross sharepoint site was overloaded with traffic during disasters, crippling its information feed within the organization at critical times. AlertSite instantly helped, notifying them of intranet issues so **they could focus more on their real jobs — saving lives**.

Products Used:

![](http://smartbear.com/smartbearbrand/media/images/logos/product-only/as_product-only-clr.svg)

Cisco Systems

A geographically distributed team needed a solid communication way to review code. Collaborator — with its intuitive interface and ease of use — was a game changer. Before, only a fraction of code was reviewed, with everyone required to be in the same location. **Now reviewing code is efficient, easy, and frequent**.

Products Used:

![](http://smartbear.com/smartbearbrand/media/images/logos/product-only/co_product-only-clr.svg)

TBC Bank

TBC Bank needed an automation tool that would help them reduce the time it took to prep test cases. TestComplete's easy script creation allowed their team of **non-developers to create scripts** in no time. Discover more about boosting team efficiency with script and scriptless test creation.

Products Used:

![](http://smartbear.com/smartbearbrand/media/images/logos/product-only/tc_product-only-clr_no-tm.svg)

Triquestra

This omnichannel specialist needed a seamless customer experience. We helped them incorporate Design-First strategies and automation. **APIs are now easier for partners to consume, while regression cycles shortened from days to hours.**

Products Used:

![](http://smartbear.com/smartbearbrand/media/images/logos/product-only/ra_product-only-clr_no-tm.svg) ![](http://smartbear.com/smartbearbrand/media/images/logos/product-only/tc_product-only-clr_no-tm.svg) ![](http://smartbear.com/smartbearbrand/media/images/logos/product-only/swh_product-only-clr.svg)

Adidas

World-renowned sportswear company actively manages over 400 APIs. Their goal is an API- and design-first approach to speed up delivery, so they chose SwaggerHub. Now they have a **central platform for all of their API contracts**, and a tool that integrates seamlessly across their API lifecycle.

Products Used:

![](http://smartbear.com/smartbearbrand/media/images/logos/product-only/swh_product-only-clr.svg)

Flowbird

Company had to integrate all Helsinki transportation (buses, trams, metros, local railways, ferries) for commuters. With 8 teams in 3 countries, they needed a deeper level of collaboration. CucumberStudio with BDD created standardized terminology, living documentation, and **fit 3,300+ functional tests into only 1,700 steps**.

Products Used:

![](http://smartbear.com/smartbearbrand/media/images/logos/product-only/cuc_product-only-clr.svg)

Honda

The leading auto manufacturer relied on Excel docs for managing test cases for their factories. They had problems with consistency, deadlines, and linking with other locations. Zephyr Squad helped them **sync up, running 545 test cases across the world**, and collaborating in a way they never thought possible.

Products Used:

![](http://smartbear.com/smartbearbrand/media/images/logos/product-only/zsq_product-only-clr.svg)

Mozilla

For a mobile browser, Mozilla needed a full set of tests on a variety of physical phones. The first tests didn't go well. With BitBar, they set up a fast, reliable, and repeatable process for tests, **shrinking a 75-hour test cycle down to 5 hours**.

Products Used:

![](http://smartbear.com/smartbearbrand/media/images/logos/product-only/bb_product-only-clr.svg)

Trusted By

Featured Products

**Easy to try. Easy to use.**

6.  TestComplete Functional Testing
    

![](http://smartbear.com/smartbearbrand/media/images/logos/icons/as_icon-clr.svg) AlertSite Monitoring

Keep an eye on applications without thinking about them.

Monitor your websites, web apps, and APIs from all over the world, and even within your private networks.

![](http://smartbear.com/smartbearbrand/media/images/home/screenshot_as.jpg)

![](http://smartbear.com/smartbearbrand/media/images/logos/icons/co_icon-clr.svg) Collaborator Peer Review

Review code together, even when you’re a world apart.

The easiest, most efficient way to review code and documents for development teams that take quality seriously.

![](http://smartbear.com/smartbearbrand/media/images/home/screenshot_co.jpg)

![](http://smartbear.com/smartbearbrand/media/images/logos/icons/cuc_icon-clr.svg) Cucumber BDD

Quality software, the way it was envisioned.

BDD has revolutionized how organizations build software. Cucumber provides a platform to succeed with it.

![](http://smartbear.com/smartbearbrand/media/images/home/screenshot_cu.jpg)

![](http://smartbear.com/smartbearbrand/media/images/logos/icons/ra_icon-clr.svg) ReadyAPI API Testing

End-to-end quality within your CI/CD pipeline.

Create and execute automated tests in one centralized interface, and speed up API quality for your Agile or DevOps software team.

![](http://smartbear.com/smartbearbrand/media/images/home/screenshot_ra.jpg)

![](http://smartbear.com/smartbearbrand/media/images/logos/icons/sw_icon-clr.svg) Swagger API Design

A single source of truth for your API development.

Making business goals happen starts with standardizing your API development. And with consistency, you get quality and speed.

![](http://smartbear.com/smartbearbrand/media/images/home/screenshot_sw.jpg)

![](http://smartbear.com/smartbearbrand/media/images/logos/icons/tc_icon-clr.svg) TestComplete Functional Testing

Make your automated testing automatic quality.

Ensure the quality of your application without sacrificing speed or agility with an easy-to-use, GUI test automation tool.

![](http://smartbear.com/smartbearbrand/media/images/home/screenshot_tc.jpg)

![](http://smartbear.com/smartbearbrand/media/images/logos/icons/ze_icon-clr.svg) Zephyr Test Management

Get the true insights from your testing.

An easier way to dig through the overwhelming amount of dashboard data so you can plan, develop, and execute all of your tests better — in a way that's easy to report.

![](http://smartbear.com/smartbearbrand/media/images/home/screenshot_ze.jpg)

Previous Next

Industry News

Inspiring the Future: 10 Women Leaders Discuss Their Role...

“Do not disengage, but set your own terms,” and other valuable lessons that women...

Read More

**FAQ****Got questions? We’ve got answers.**

*   There are so many solutions out there, it’s paralyzing to know where to start. Our advantage? Our range and emphasis on quality. Any company, of any size, of any maturity, doesn’t have to make hard decisions – they can just start with us.
    
    The SmartBear selection of tools run the full gamut of the software development lifecycle, all of which place quality at a premium. We work with just about anything else in your tech stack, plus our tools are designed to work especially well with each other.
    
*   Why is quality such a big deal?
    
    Because 1) if it doesn't work well, then it doesn't work at all. And 2) the complexity of applications isn't going anywhere but up. Quality is what determines whether or not software works. We've all done it: you download an app, it freezes for 2 seconds, so you delete it and move on. If you don't have time for lousy quality, then neither do your customers. The entire world depends on technology, and that fact gets stronger by the day. Quality is essential.
    
*   Does test automation replace manual testing?
    
    Manual testing will probably never go away, because every piece of software has its own ideosyncracies that require more creative types of testing or exploration. But test automation is there to handle the massive amounts of testing that would be otherwise be long, tedious, and prone to error. When software was simpler, manual testing could usually cover it, no problem. But think of the difference between websites in 1998 and 2020. Now apply that to the rest of the world. To complete with the inherent complexity of today's technology requires test automation.
    
*   How do I start towards automation?
    
    For such a momentous occasion, we've created the Test Automation Starter Kit, which will escort you exactly where you're looking to go.
    
*   Doesn't automation negatively affect quality?
    
    There's an old saying that came out when test automation first started: "Test automation enables you to release bad software faster than ever before." It's a saying we're all well aware of here. That's why every tool we have is guided by the mantra "quality first." Bad tests get bad results, so what's the point of testing if it's not testing the correct things?
    
*   What kind of free resources do you have available?
    
    Glad you asked. We have free training for all of our tools, a passionate online community where other members will be glad to help you with any specific issues, and even an ROI calculator that gives you the numbers on why code review can only help.
    
*   What kind of techniques can help my team with collaboration?
    
    You should check out the concept of behavior-driven development, which has revolutionized the process by which teams work together and develop software.
    
*   How do you help customers with DevOps?
    
    We start with the knowledge that DevOps is more than just a set of tools and practices that help teams work together. It's a journey. And you can start that journey here.
    

**And an online community to back you up.**

Our solutions don't just come from inside the building. We've got help.

1M Members Strong

180K Posts

10K+ Companies

180 Countries

          

Close

Choose your product to log in to

Tag

#cisco