Jeffrey Bencteux (https://www.bencteux.fr/posts/synaman/) reached out to Synametrics Technologies, Inc. around February 2022 regarding two vulnerabilities he discovered in SynaMan. This page talks about his concerns and our response.
In short, he claims two problems exist in SynaMan:
An important point to note is that this concern is only applicable if an existing and authorized user on the machine decides to modify files/configuration. This CVE does not apply for users who do not have access to the machine either physically or remotely.
The default installation location of SynaMan is
C:\SynaMan on a Windows machine.
However, according to Mr. Bencteux, this default location is vulnerable to file renames. In other words, an authenticated
user on the device could potentially rename C:\SynaMan\SynaMan.exe file with a different file, and the operating system
will end up running the bad version of the file next time service starts.
We agree with this analysis and therefore, have modified the installation folder to
Users who download SynaMan Windows Installer after April 02, 2022, will see the default installation folder for SynaMan as
recommended by Mr. Bencteux.
This problem is only applicable if an authenticated user on the machine decides to act maliciously. No further steps are required if only trusted individuals are able to access the device.
To comply with Mr. Bencteux recommendation you could reinstall SynaMan and change the installation folder
C:\Program Files. You can even do this with older versions. Refer to this page
Mr. Bencteux claims that someone with administrator's password could misuse the Triggers feature in SynaMan to run malicious code.
The admin account in SynaMan is similar to the
root account on Linux operating system. In other words,
significant damage can be done to the system if an unauthorized user can access your SynaMan using this
Mr. Bencteux suggested enabling the
Restrict admin access to localhost by default to mitigate this risk. We
disagree with this suggestion because legitimate administrators can get themselves locked out if this
option is checked during setup.
We recommend every administrator to follow best practices published by Synametrics Technologies, Inc. regarding SynaMan, which include: