Details of VAR-201708-1063

ID

VAR-201708-1063

CVE

CVE-2017-11158

TITLE

Synology Cloud Station Drive Vulnerabilities related to untrusted search paths

Trust: 0.8

sources: JVNDB: JVNDB-2017-007566

DESCRIPTION

Multiple untrusted search path vulnerabilities in the installer in Synology Cloud Station Drive before 4.2.5-4396 on Windows allow local attackers to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory. Synology Cloud Station Drive Contains an unreliable search path vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Synology Cloud Station Drive for Windows is a Windows-based computer synchronization tool from Synology. installer is one of the installers. (Malicious files include: (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll, or (4) dwmapi.dll)

Trust: 1.71

sources: NVD: CVE-2017-11158 // JVNDB: JVNDB-2017-007566 // VULHUB: VHN-101552

AFFECTED PRODUCTS

vendor:	synology	model:	cloud station drive	scope:	lte	version:	4.2.4-4393	Trust: 1.0
vendor:	synology	model:	cloud station drive	scope:	lt	version:	4.2.5-4396	Trust: 0.8
vendor:	synology	model:	cloud station drive	scope:	eq	version:	4.2.4-4393	Trust: 0.6

sources: JVNDB: JVNDB-2017-007566 // CNNVD: CNNVD-201707-375 // NVD: CVE-2017-11158

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-11158
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-11158
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201707-375
value:	HIGH
Trust: 0.6
VULHUB:	VHN-101552
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-11158
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-101552
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-11158
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-101552 // JVNDB: JVNDB-2017-007566 // CNNVD: CNNVD-201707-375 // NVD: CVE-2017-11158

PROBLEMTYPE DATA

problemtype:	CWE-426	Trust: 1.9
problemtype:	CWE-427	Trust: 1.0

sources: VULHUB: VHN-101552 // JVNDB: JVNDB-2017-007566 // NVD: CVE-2017-11158

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201707-375

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201707-375

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-007566

PATCH

title:	Synology-SA-17:51 Cloud Station Drive	url:	https://www.synology.com/en-global/support/security/Synology_SA_17_51_Cloud_Station_Drive	Trust: 0.8
title:	Synology Cloud Station Drive for Windows Fixes for installer vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99907	Trust: 0.6

sources: JVNDB: JVNDB-2017-007566 // CNNVD: CNNVD-201707-375

EXTERNAL IDS

db:	NVD	id:	CVE-2017-11158	Trust: 2.5
db:	JVNDB	id:	JVNDB-2017-007566	Trust: 0.8
db:	CNNVD	id:	CNNVD-201707-375	Trust: 0.7
db:	VULHUB	id:	VHN-101552	Trust: 0.1

sources: VULHUB: VHN-101552 // JVNDB: JVNDB-2017-007566 // CNNVD: CNNVD-201707-375 // NVD: CVE-2017-11158

REFERENCES

url:	https://www.synology.com/en-global/support/security/synology_sa_17_51_cloud_station_drive	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-11158	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-11158	Trust: 0.8

sources: VULHUB: VHN-101552 // JVNDB: JVNDB-2017-007566 // CNNVD: CNNVD-201707-375 // NVD: CVE-2017-11158

SOURCES

db:	VULHUB	id:	VHN-101552
db:	JVNDB	id:	JVNDB-2017-007566
db:	CNNVD	id:	CNNVD-201707-375
db:	NVD	id:	CVE-2017-11158

LAST UPDATE DATE

2025-04-20T23:35:47.358000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-101552	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2017-007566	date:	2017-09-25T00:00:00
db:	CNNVD	id:	CNNVD-201707-375	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-11158	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-101552	date:	2017-08-31T00:00:00
db:	JVNDB	id:	JVNDB-2017-007566	date:	2017-09-25T00:00:00
db:	CNNVD	id:	CNNVD-201707-375	date:	2017-07-11T00:00:00
db:	NVD	id:	CVE-2017-11158	date:	2017-08-31T13:29:00.200