CVE-2022-22685
📋 TL;DR
This path traversal vulnerability in Synology WebDAV Server allows authenticated remote attackers to delete arbitrary files on the system. The vulnerability affects Synology NAS devices running WebDAV Server before version 2.4.0-0062. Attackers need valid credentials to exploit this flaw.
💻 Affected Systems
- Synology WebDAV Server
📦 What is this software?
Webdav Server by Synology
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, configuration files, or sensitive data, potentially leading to system instability or complete data loss.
Likely Case
Unauthorized deletion of user files, application data, or configuration files, causing data loss and service disruption.
If Mitigated
Limited impact with proper access controls, file permissions, and monitoring in place, potentially only affecting non-critical files.
🎯 Exploit Status
Exploitation requires valid authentication credentials. The specific vectors are unspecified in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.0-0062 or later
Vendor Advisory: https://www.synology.com/security/advisory/Synology_SA_21_09
Restart Required: Yes
Instructions:
1. Log into DSM as administrator. 2. Open Package Center. 3. Find WebDAV Server. 4. Click Update if available. 5. Alternatively, manually download version 2.4.0-0062 or later from Synology website. 6. Install the update. 7. Restart the WebDAV service or the NAS.
🔧 Temporary Workarounds
Disable WebDAV Server
allTemporarily disable the WebDAV Server package if immediate patching is not possible.
In DSM Package Center: Select WebDAV Server > Stop
Restrict WebDAV Access
allLimit WebDAV access to trusted IP addresses only using firewall rules.
In DSM Control Panel > Security > Firewall: Add rules to restrict WebDAV port (default 5005/5006) access
🧯 If You Can't Patch
- Implement strict access controls and limit WebDAV user permissions to minimal required directories.
- Enable comprehensive logging and monitoring for file deletion activities through WebDAV.
🔍 How to Verify
Check if Vulnerable:
Check WebDAV Server version in DSM Package Center. If version is below 2.4.0-0062, the system is vulnerable.Check Version:
In DSM: Package Center > Installed > WebDAV Server shows version numberVerify Fix Applied:
Verify WebDAV Server version shows 2.4.0-0062 or higher in Package Center after update.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion patterns in WebDAV logs
- Multiple DELETE requests from single authenticated user
- DELETE requests targeting system or configuration files
Network Indicators:
- WebDAV DELETE requests with path traversal patterns (../ sequences)
- High volume of DELETE requests from authenticated users
SIEM Query:
source="webdav_logs" AND method="DELETE" AND (uri="*../*" OR uri="*/../*")