Sign-up

ID

VAR-201807-0052


CVE

CVE-2016-6554


TITLE

Synology NAS servers contain insecure default credentials

Trust: 0.8

sources: CERT/CC: VU#404187

DESCRIPTION

Synology Made of multiple NAS The server has authentication information common to all devices. Certificate and password management (CWE-255) - CVE-2016-6554 Synology Made of NAS server Is DS107 , DS116 and DS213 By default, the authentication information "guest:( No password )" and "admin:( No password )" Is set.A remote third party could access the device with administrator privileges. Multiple Synology DiskStation products are prone to an insecure default-password vulnerability. Remote attackers with knowledge of the default credentials may exploit this vulnerability to gain unauthorized access and perform unauthorized actions. This may aid in further attacks. The following products are affected: Synology DiskStation DS107 running firmware versions 3.1-1639 and prior. Synology DiskStation DS116 running firmware versions prior to 5.2-5644-1. Synology DiskStation DS213 running firmware versions prior to 5.2-5644-1. Synology DiskStation DS107 and others are network storage servers (NAS) of Synology. A trust management vulnerability exists in several Synology products due to the use of non-random default credentials (guest: (blank) and admin: (blank))

Trust: 1.08

sources: JVNDB: JVNDB-2016-005560 // BID: 93805 // VULHUB: VHN-95374

AFFECTED PRODUCTS

vendor:synologymodel:ds107scope:lteversion:3.1-1639

Trust: 1.0

vendor:synologymodel:ds213scope:lteversion:5.2-5644-1

Trust: 1.0

vendor:synologymodel:ds116scope:lteversion:5.2-5644-1

Trust: 1.0

vendor:synologymodel: - scope: - version: -

Trust: 0.8

vendor:synologymodel:disk station ds107scope:lteversion:3.1-1639

Trust: 0.8

vendor:synologymodel:diskstation ds116scope:ltversion:5.2-5644-1

Trust: 0.8

vendor:synologymodel:diskstation ds213scope:ltversion:5.2-5644-1

Trust: 0.8

vendor:synologymodel:ds213scope:eqversion:5.2-5644-1

Trust: 0.6

vendor:synologymodel:ds107scope:eqversion:3.1-1639

Trust: 0.6

vendor:synologymodel:ds116scope:eqversion:5.2-5644-1

Trust: 0.6

vendor:synologymodel:diskstation ds213scope:eqversion:0

Trust: 0.3

vendor:synologymodel:diskstation ds116scope:eqversion:0

Trust: 0.3

vendor:synologymodel:diskstation ds107scope:eqversion:3.1-1639

Trust: 0.3

vendor:synologymodel:diskstation ds213scope:neversion:5.2-5644-1

Trust: 0.3

vendor:synologymodel:diskstation ds116scope:neversion:5.2-5644-1

Trust: 0.3

sources: CERT/CC: VU#404187 // BID: 93805 // JVNDB: JVNDB-2016-005560 // CNNVD: CNNVD-201610-697 // NVD: CVE-2016-6554

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-6554
value: CRITICAL

Trust: 1.0

NVD: CVE-2016-6554
value: MEDIUM

Trust: 0.8

IPA: JVNDB-2016-005560
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201610-697
value: CRITICAL

Trust: 0.6

VULHUB: VHN-95374
value: HIGH

Trust: 0.1

VULMON: CVE-2016-6554
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2016-6554
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: CVE-2016-6554
severity: MEDIUM
baseScore: 6.9
vectorString: NONE
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

IPA: JVNDB-2016-005560
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-95374
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-6554
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.0

IPA: JVNDB-2016-005560
baseSeverity: HIGH
baseScore: 8.4
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CERT/CC: VU#404187 // VULHUB: VHN-95374 // VULMON: CVE-2016-6554 // JVNDB: JVNDB-2016-005560 // CNNVD: CNNVD-201610-697 // NVD: CVE-2016-6554

PROBLEMTYPE DATA

problemtype:CWE-255

Trust: 1.9

sources: VULHUB: VHN-95374 // JVNDB: JVNDB-2016-005560 // NVD: CVE-2016-6554

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201610-697

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201610-697

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-005560

EXPLOIT AVAILABILITY
sources:
            
            
            CERT/CC: VU#404187

PATCH
title:DS107 Release Notesurl:https://www.synology.com/en-global/releaseNote/DS107
Trust: 0.8
title:DS116 Release Notesurl:https://www.synology.com/en-global/releaseNote/DS116
Trust: 0.8
title:DS213 Release Notesurl:https://www.synology.com/en-global/releaseNote/DS213
Trust: 0.8
title:Multiple Synology Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=65060
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-005560 // 
            
            
            
            CNNVD: CNNVD-201610-697

EXTERNAL IDS
db:CERT/CCid:VU#404187
Trust: 3.7
db:NVDid:CVE-2016-6554
Trust: 2.9
db:BIDid:93805
Trust: 2.1
db:JVNid:JVNVU93774715
Trust: 0.8
db:JVNDBid:JVNDB-2016-005560
Trust: 0.8
db:CNNVDid:CNNVD-201610-697
Trust: 0.7
db:VULHUBid:VHN-95374
Trust: 0.1
db:VULMONid:CVE-2016-6554
Trust: 0.1
sources:
            
            
            CERT/CC: VU#404187 // 
            
            
            
            VULHUB: VHN-95374 // 
            
            
            
            VULMON: CVE-2016-6554 // 
            
            
            
            BID: 93805 // 
            
            
            
            JVNDB: JVNDB-2016-005560 // 
            
            
            
            CNNVD: CNNVD-201610-697 // 
            
            
            
            NVD: CVE-2016-6554

REFERENCES
url:https://www.kb.cert.org/vuls/id/404187
Trust: 3.0
url:https://www.synology.com/en-global/releasenote/ds213
Trust: 2.6
url:https://www.securityfocus.com/bid/93805
Trust: 1.8
url:https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/sshowdown-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pdf
Trust: 1.6
url:http://cwe.mitre.org/data/definitions/255.html
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-6554
Trust: 0.8
url:http://jvn.jp/vu/jvnvu93774715/index.html
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2016-6554
Trust: 0.8
url:https://www.synology.com/en-global/
Trust: 0.3
url:http://tools.cisco.com/security/center/viewalert.x?alertid=49377
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CERT/CC: VU#404187 // 
            
            
            
            VULHUB: VHN-95374 // 
            
            
            
            VULMON: CVE-2016-6554 // 
            
            
            
            BID: 93805 // 
            
            
            
            JVNDB: JVNDB-2016-005560 // 
            
            
            
            CNNVD: CNNVD-201610-697 // 
            
            
            
            NVD: CVE-2016-6554

CREDITS
Ory Segal and Ezra Caltum
Trust: 0.9
sources:
            
            
            BID: 93805 // 
            
            
            
            CNNVD: CNNVD-201610-697

SOURCES
db:CERT/CCid:VU#404187
db:VULHUBid:VHN-95374
db:VULMONid:CVE-2016-6554
db:BIDid:93805
db:JVNDBid:JVNDB-2016-005560
db:CNNVDid:CNNVD-201610-697
db:NVDid:CVE-2016-6554

LAST UPDATE DATE
2024-11-23T21:53:00.267000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#404187date:2016-10-20T00:00:00
db:VULHUBid:VHN-95374date:2019-10-09T00:00:00
db:VULMONid:CVE-2016-6554date:2019-10-09T00:00:00
db:BIDid:93805date:2016-10-26T01:16:00
db:JVNDBid:JVNDB-2016-005560date:2016-10-24T00:00:00
db:CNNVDid:CNNVD-201610-697date:2019-10-17T00:00:00
db:NVDid:CVE-2016-6554date:2024-11-21T02:56:20.663

SOURCES RELEASE DATE
db:CERT/CCid:VU#404187date:2016-10-20T00:00:00
db:VULHUBid:VHN-95374date:2018-07-13T00:00:00
db:VULMONid:CVE-2016-6554date:2018-07-13T00:00:00
db:BIDid:93805date:2016-10-20T00:00:00
db:JVNDBid:JVNDB-2016-005560date:2016-10-24T00:00:00
db:CNNVDid:CNNVD-201610-697date:2016-10-25T00:00:00
db:NVDid:CVE-2016-6554date:2018-07-13T20:29:00.753