Resilio (formerly BitTorrent Sync) delivers powerful solutions using their unique private cloud software built on core bittorrent technology. For well over 15 years, BitTorrent has been the leading technology to deliver large files over the Internet. BitTorrent Sync was the world’s first product to harness this powerful protocol for commercial purposes and Resilio expands on this mission.
For a wide array of applications such as large file collaboration, file sync, folder sync, automated backup, and sending large files faster and more securely, Resilio offers the industry leading and fastest private cloud solution trusted by millions of consumers and thousands of business worldwide.
The Resilio Sync client for Synology NAS suffers a vulnerability that allows remote users to connect to the NAS with admin privileges.
The vulnerability occurs because during installation of the package, the installation script is adding a user with admin privileges and fixed password. The offending lines are the following:
synouser --add x " user" 0 "" ""
synogroup --member administrators > /dev/null 2>&1
The vulnerability has been confirmed to be present in version 2.4.4, other versions may be affected. The assigned CVE is CVE-2017-7270.
The vendor was notified and the vulnerability patched in version 2.5.5.
Vulnerable servers which expose their interfaces to the Internet may be remotely accessed with admin privileges using user rslsync with password 'x'.
We are proud to announce this vulnerability as the first public vulnerability discovered by the new jtsec staff!