CVE-2024-11398
📋 TL;DR
This path traversal vulnerability in Synology Router Manager allows authenticated remote attackers to delete arbitrary files on affected systems by exploiting improper path validation in the OTP reset functionality. It affects Synology routers running SRM versions before 1.3.1-9346-9. Attackers need valid credentials to exploit this vulnerability.
💻 Affected Systems
- Synology Router Manager (SRM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could delete critical system files, configuration files, or user data, potentially causing complete system failure, data loss, or persistent compromise by removing security controls.
Likely Case
Attackers with valid credentials could delete router configuration files, logs, or user data, leading to service disruption, loss of network connectivity, or removal of evidence.
If Mitigated
With proper access controls and monitoring, impact would be limited to files accessible by the authenticated user's permissions, but still represents unauthorized file deletion.
🎯 Exploit Status
Requires authenticated access. Specific exploitation vectors are unspecified in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SRM 1.3.1-9346-9 or later
Vendor Advisory: https://www.synology.com/en-global/security/advisory/Synology_SA_24_03
Restart Required: No
Instructions:
1. Log into SRM web interface. 2. Navigate to Control Panel > Update & Restore. 3. Click 'Update' and follow prompts to install SRM 1.3.1-9346-9 or later. 4. Verify update completes successfully.
🔧 Temporary Workarounds
Disable OTP reset functionality
allTemporarily disable the OTP reset feature if not required
Restrict administrative access
allLimit administrative access to trusted IP addresses only
🧯 If You Can't Patch
- Implement strict access controls and limit administrative accounts to essential personnel only
- Enable comprehensive logging and monitor for unauthorized file deletion attempts
🔍 How to Verify
Check if Vulnerable:
Check SRM version in Control Panel > Info Center > DSM/SRM. If version is below 1.3.1-9346-9, system is vulnerable.Check Version:
ssh admin@router-ip 'cat /etc.defaults/VERSION'Verify Fix Applied:
Verify SRM version is 1.3.1-9346-9 or higher in Control Panel > Info Center > DSM/SRM.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in system logs
- Multiple failed OTP reset attempts followed by successful attempts
- Administrative access from unexpected IP addresses
Network Indicators:
- HTTP requests to OTP reset endpoints with unusual path parameters
- Increased traffic to administrative interfaces
SIEM Query:
source="srm-logs" AND (event="file_delete" OR uri="/otp/reset") AND NOT user="system"