CVE-2021-27647 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2021-27647?

CVE-2021-27647 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on Synology DiskStation Manager (DSM) systems by sending specially crafted web requests. It affects DSM versions before 6.2.3-25426-3 and can be exploited without authentication. The out-of-bounds read in the iSCSI snapshot component enables remote code execution.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Synology DiskStation Manager (DSM) systems by sending specially crafted web requests. It affects DSM versions before 6.2.3-25426-3 and can be exploited without authentication. The out-of-bounds read in the iSCSI snapshot component enables remote code execution.

💻 Affected Systems

Products:

Synology DiskStation Manager (DSM)

Versions: All versions before 6.2.3-25426-3

Operating Systems: Synology DSM

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with iSCSI functionality enabled, which is common in storage-focused configurations.

📦 What is this software?

Diskstation Manager by Synology

View all CVEs affecting Diskstation Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level access, data theft, ransomware deployment, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to data exfiltration, lateral movement within the network, and service disruption.

🟢

If Mitigated

Limited impact if systems are patched, isolated from internet, and have proper network segmentation.

🌐 Internet-Facing: HIGH - Exploitable via web requests without authentication, making internet-facing Synology devices prime targets.

🏢 Internal Only: MEDIUM - Still exploitable from internal networks, but requires attacker to have network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ZDI advisory suggests weaponization is likely given the high CVSS score and unauthenticated nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: DSM 6.2.3-25426-3 and later

Vendor Advisory: https://www.synology.com/security/advisory/Synology_SA_20_26

Restart Required: Yes

Instructions:

1. Log into DSM web interface as administrator. 2. Go to Control Panel > Update & Restore. 3. Click 'Download DSM Update' if not already downloaded. 4. Click 'Install Now' and follow prompts. 5. System will restart automatically.

🔧 Temporary Workarounds

Disable iSCSI Service

linux

Temporarily disable iSCSI functionality to block exploitation vector

ssh admin@synology-nas
sudo synoservice --disable pkgctl-iSCSITarget
sudo synoservice --disable pkgctl-iSCSILUN

Network Isolation

linux

Restrict access to DSM web interface using firewall rules

iptables -A INPUT -p tcp --dport 5000 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 5000 -j DROP

🧯 If You Can't Patch

Isolate affected systems from internet using firewall rules
Implement strict network segmentation to limit lateral movement

🔍 How to Verify

Check if Vulnerable:

Check DSM version in Control Panel > Info Center > DSM Version

Check Version:

ssh admin@synology-nas 'cat /etc.defaults/VERSION'

Verify Fix Applied:

Verify version is 6.2.3-25426-3 or higher in Control Panel > Info Center

📡 Detection & Monitoring

Log Indicators:

Unusual iSCSI-related requests in /var/log/messages
Multiple failed authentication attempts followed by successful iSCSI operations

Network Indicators:

Unusual outbound connections from DSM system
Traffic to unexpected ports from DSM

SIEM Query:

source="synology*" AND ("iscsi_snapshot" OR "iSCSI" AND "snapshot") AND status=200

📊 Metadata

CVE ID: CVE-2021-27647

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: March 12, 2021

Last Updated: January 14, 2025

🔗 References

https://www.synology.com/security/advisory/Synology_SA_20_26 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-339/ Third Party Advisory,VDB Entry
https://www.synology.com/security/advisory/Synology_SA_20_26 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-339/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27647, you might also want to check these: