Synology has identified critical vulnerabilities in Surveillance Station versions preceding 9.2.0-11289, posing significant security risks to users. These vulnerabilities enable remote authenticated users to exploit various components, gaining unauthorized access to intranet resources, bypassing security measures, and executing denial-of-service attacks. Additionally, attackers can inject SQL commands, elevate privileges without consent, and obtain sensitive information, compromising the integrity and confidentiality of Surveillance Station installations.
The affected products include Surveillance Station for DSM 7.2, DSM 7.1, and DSM 6.2. Synology advises users to upgrade to the latest fixed releases promptly to mitigate these risks. Notably, CVE-2024-29241, with a severity rating of 9.9, allows attackers to bypass security constraints, posing a particularly severe threat. Acknowledgements for discovering these vulnerabilities go to security researchers TEAM.ENVY, Tim Coen, and Zhao Runzi.
Reference:
