CVE-2023-52948 – This vulnerability allows local users on system... (How to Fix)

Q: What is the severity of CVE-2023-52948?

CVE-2023-52948 has a CVSS score of 5.0 (MEDIUM). This vulnerability allows local users on systems running Synology Active Backup for Business Agent to access unencrypted user credentials stored in settings. It affects all users of Synology Active Backup for Business Agent versions before 2.7.0-3221.

📋 TL;DR

This vulnerability allows local users on systems running Synology Active Backup for Business Agent to access unencrypted user credentials stored in settings. It affects all users of Synology Active Backup for Business Agent versions before 2.7.0-3221.

💻 Affected Systems

Products:

Synology Active Backup for Business Agent

Versions: All versions before 2.7.0-3221

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of the agent software before the patched version.

📦 What is this software?

Active Backup For Business Agent by Synology

View all CVEs affecting Active Backup For Business Agent →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attackers gain administrative credentials, potentially compromising the entire backup system and accessing sensitive backup data.

🟠

Likely Case

Malicious local users or malware with local access steal credentials to access backup data or pivot to other systems.

🟢

If Mitigated

With proper access controls, only authorized administrators can access the system, limiting exposure.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring access to the system.

🏢 Internal Only: MEDIUM - Internal users with local access could exploit this to gain unauthorized access to backup credentials.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to the system where the agent is installed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.0-3221

Vendor Advisory: https://www.synology.com/en-global/security/advisory/Synology_SA_24_11

Restart Required: Yes

Instructions:

1. Open Synology Active Backup for Business console. 2. Navigate to Agent Management. 3. Select affected agents. 4. Click Update Agent. 5. Restart the agent service after update.

🔧 Temporary Workarounds

Restrict Local Access

all

Limit local user access to systems running the vulnerable agent.

🧯 If You Can't Patch

Implement strict access controls to limit who has local access to systems running the agent.
Monitor for unauthorized access attempts to agent configuration files and settings.

🔍 How to Verify

Check if Vulnerable:

Check the agent version in Synology Active Backup for Business console under Agent Management.

Check Version:

On Windows: Check program version in Control Panel. On Linux: Check package version with appropriate package manager.

Verify Fix Applied:

Verify agent version is 2.7.0-3221 or later in the management console.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access to agent configuration files
Multiple failed authentication attempts to backup systems

Network Indicators:

Unusual backup access patterns from unexpected IPs

SIEM Query:

Search for events related to Synology Active Backup Agent configuration file access by non-admin users.

📊 Metadata

CVE ID: CVE-2023-52948

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-311

Published: September 26, 2024

Last Updated: October 2, 2024

🔗 References

https://www.synology.com/en-global/security/advisory/Synology_SA_24_11 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-52948, you might also want to check these: