CVE-2022-27626 Vulnerability found in session processing of OOB management.

A vulnerability regarding improper handling of incoming replication or backup events ('Denial of Service') is found in the DSM OOB Management functionality. An attacker may be able to crash the management service or disable it completely via a flood of events. The following models with DSM versions before 7.1.1-42962-2 may be affected: DS3617xs+, DS3617xs, DS3618xs, DS3619xs, DS3620xs, DS3621xs, DS3623xs, DS3628xs, DS3638xs, DS3917xs, DS3918xs, DS3919xs, DS3920xs, DS3921xs, DS3922xs, DS3640xs, DS3641xs, DS3680xs, DS3681xs, DS3682xs, DS3690xs, DS3691xs, DS3692xs, DS3693xs, DS3694xs, DS3695xs, DS3696xs, DS3697xs, DS3698xs, DS3699xs, DS5140xs, DS5141xs, DS5142xs, DS5143xs, DS5144xs, DS5145xs, DS5146xs, DS5147xs, DS5148xs, DS5149xs, DS5150xs, DS5151xs, DS5152xs, DS5153xs, DS5154xs, DS5155xs, DS5

DS3231 xs and later versions

The vulnerability affects DSM versions 7.1.2-42962-2 and later, and DSM hardware models that have been shipped since these versions, including: DS3231xs, DS3624xs, DS3625xs, DS3626xs, DS3627xs, DS3628xs, DS3629xs, DS3631xs, DS3642xs.

How to determine if you are affected by this vulnerability

If you are using DSM, please verify the model number of your DSM device.
If your device model is listed in the table below, then it is not affected by this vulnerability.

Affected Models

DS3617xs+, DS3617xs, DS3618xs, DS3619xs, DS3620xs, DS3621xs, DS3623xs, DS3628xs, DS3917xs, DS3918xs, DS3919xs, DS3920xs, DS3921xs,
DS3922xs,
DS3640x0s/HSRP/HSRP-EXTN/HSRP-EXTN-2G/DS3641x0s/HSRP-EXTN/HSRP-EXTN-2G: 7.1.1-42962-2
DS5140x0s: 7.1.1-42962-2
DS5141x0s: 7.1.1-42962-2
DS5142x0s: 7.1.1-42962-2
DS5143x0s: 7.1.1-42962-2
DS5144x0s: 7.1.1 - 42962 - 3
**Note** This vulnerability was fixed in DSM version 8 and later releases on all platforms listed above!

Timeline

Published on: 10/20/2022 06:15:00 UTC
Last modified on: 10/21/2022 15:57:00 UTC

References