Resilio Sync for Synology Fixed admin password vulnerability (CVE-2017-7270)

- March
Posted by: Javier Tallón
Resilio Sync for Synology Fixed admin password vulnerability (CVE-2017-7270)

Resilio (formerly BitTorrent Sync) delivers powerful solutions using their unique private cloud software built on core bittorrent technology. For well over 15 years, BitTorrent has been the leading technology to deliver large files over the Internet. BitTorrent Sync was the world’s first product to harness this powerful protocol for commercial purposes and Resilio expands on this mission.

For a wide array of applications such as large file collaboration, file sync, folder sync, automated backup, and sending large files faster and more securely, Resilio offers the industry leading and fastest private cloud solution trusted by millions of consumers and thousands of business worldwide.

The Resilio Sync client for Synology NAS suffers a vulnerability that allows remote users to connect to the NAS with admin privileges.

The vulnerability occurs because during installation of the package, the installation script is adding a user with admin privileges and fixed password. The offending lines are the following:

synouser --add x " user" 0 "" ""
synogroup --member administrators > /dev/null 2>&1

The vulnerability has been confirmed to be present in version 2.4.4, other versions may be affected. The assigned CVE is CVE-2017-7270.

The vendor was notified and the vulnerability patched in version 2.5.5.

Vulnerable servers which expose their interfaces to the Internet may be remotely accessed with admin privileges using user rslsync with password 'x'.

We are proud to announce this vulnerability as the first public vulnerability discovered by the new jtsec staff!

Javier Tallón/Author

Expert consultant on the Common Criteria standard, and other security assurance standards in the field of the information technology (FIPS 140-2, ITSEC, ISO 27K1, SOC 2, ENS...). Javier has served as an evaluator in the Spanish CB for the country major evaluation labs. As a consultant, he has successfully accompanied national and international companies in several certification processes (to EAL5+). His experience has led him to participate as a speaker in various editions of the ICCC (International Common Criteria Conference). He is also Cyber Security Teacher, giving classes of Secure Software Engineering at the University of Granada.