CVE-2021-26569 – A race condition vulnerability in Synology Disk... (How to Fix)

Q: What is the severity of CVE-2021-26569?

CVE-2021-26569 has a CVSS score of 9.8 (CRITICAL). A race condition vulnerability in Synology DiskStation Manager's iSCSI snapshot component allows remote attackers to execute arbitrary code via crafted web requests. This affects Synology NAS devices running DSM before version 6.2.3-25426-3, potentially giving attackers full system control.

📋 TL;DR

A race condition vulnerability in Synology DiskStation Manager's iSCSI snapshot component allows remote attackers to execute arbitrary code via crafted web requests. This affects Synology NAS devices running DSM before version 6.2.3-25426-3, potentially giving attackers full system control.

💻 Affected Systems

Products:

Synology DiskStation Manager (DSM)

Versions: All versions before 6.2.3-25426-3

Operating Systems: Synology DSM

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Synology NAS devices with iSCSI functionality enabled. DSM 6.2.3-25426-3 and later versions are not vulnerable.

📦 What is this software?

Diskstation Manager by Synology

View all CVEs affecting Diskstation Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains root privileges and full control of the NAS device, potentially compromising all stored data and using the device as a pivot point into the network.

🟠

Likely Case

Remote attacker executes arbitrary code with elevated privileges, potentially installing malware, exfiltrating data, or disrupting services.

🟢

If Mitigated

Attack prevented by network segmentation, patched systems, or disabled vulnerable services.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires race condition timing but is remotely accessible via web interface. ZDI advisory suggests exploitation is feasible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: DSM 6.2.3-25426-3 or later

Vendor Advisory: https://www.synology.com/security/advisory/Synology_SA_20_26

Restart Required: Yes

Instructions:

1. Log into DSM web interface as administrator. 2. Go to Control Panel > Update & Restore. 3. Click 'Download DSM Update' if needed. 4. Click 'Update Now' to install DSM 6.2.3-25426-3 or later. 5. System will restart automatically.

🔧 Temporary Workarounds

Disable iSCSI Service

all

Temporarily disable iSCSI functionality if not required

Login to DSM > Storage Manager > iSCSI Manager > Disable iSCSI service

Network Segmentation

all

Restrict access to DSM web interface to trusted networks only

Configure firewall rules to limit DSM port (default 5000/5001) access

🧯 If You Can't Patch

Isolate affected NAS devices from internet and untrusted networks
Implement strict network access controls to DSM management interface

🔍 How to Verify

Check if Vulnerable:

Check DSM version in Control Panel > Info Center. If version is earlier than 6.2.3-25426-3, system is vulnerable.

Check Version:

ssh admin@nas 'cat /etc.defaults/VERSION'

Verify Fix Applied:

Confirm DSM version is 6.2.3-25426-3 or later in Control Panel > Info Center.

📡 Detection & Monitoring

Log Indicators:

Unusual iSCSI snapshot activity
Multiple rapid requests to iSCSI endpoints
Process execution from web service context

Network Indicators:

Multiple HTTP requests to /webapi/entry.cgi with iSCSI parameters
Unusual outbound connections from NAS after web requests

SIEM Query:

source="synology" AND (uri_path="/webapi/entry.cgi" AND query="api=SYNO.Core.ISCSISnapshot" AND count>10 within 1s)

📊 Metadata

CVE ID: CVE-2021-26569

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-366

Published: March 12, 2021

Last Updated: January 14, 2025

🔗 References

https://www.synology.com/security/advisory/Synology_SA_20_26 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-338/ Third Party Advisory,VDB Entry
https://www.synology.com/security/advisory/Synology_SA_20_26 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-338/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26569, you might also want to check these: