SERVER-WEBAPP Synology DiskStation Manager SLICEUPLOAD remote command execution attempt
This alert is triggered when detecting an attempt to exploit CVE-2013- 6955 a remote command execution vulnerability in Synology DiskStation Manager. The Synology DiskStation Manager is an operating system used by Synology's NAS devices. This rule is particularly looking for signs of an attacker attempting to exploit the 'SLICEUPLOAD' feature by specifying the 'imageSelector.cgi' endpoint and a specific header, potentially aiming to execute malicious commands.
ID Number
29387
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology DiskStation Manager SLICEUPLOAD remote command execution attempt"; flow:to_server,established; content:"/webman/imageSelector.cgi"; fast_pattern:only; http_uri; content:"X-TYPE-NAME|3A|"; nocase; http_header; content:"SLICEUPLOAD"; distance:0; nocase; http_header; content:"X-TMP-FILE|3A|"; nocase; http_header; content:".cgi"; distance:0; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,64516; reference:cve,2013-6955; classtype:attempted-admin; sid:29387; rev:3;)
MITRE ATT&CK Technique
-
Severity
High
Recommendations/Investigative actions
It is recommended to ensure that the Synology DiskStation Manager is up-to-date with the latest security patches to mitigate known vulnerabilities. Inspect logs to determine if the attempted exploitation was successful. Look for signs of the specified endpoint and header. If possible, block communication Attempts from external networks, or enable access from specific external devices only.