Synology News Recap for Mid-February

News tileSecurity Updates

There have been two security bulletins (and related updates) so far this month. If you use Media Server, you’ll want to update. People running Media Server 1.4 will want to be on version 1.4-2654 or above, while those running Media Server 1.7 will want to be on version 1.7.6-2842 or above. The vulnerability allows a remote attacker to carry out SQL injection attacks. The security bulletin is Synology SA-18:04 Media Server. This vulnerability earns it’s “Important” rating since it can be exploited remotely and without any user authentication.

The relatively new Synology Drive has a moderate vulnerability that allows authenticated users to inject arbitrary web scripts. The vulnerability is only rated as Moderate since it does require user authentication. Upgrade to Drive 1.0.1-10253 or higher for the patch. See the Synology SA 18:05 Drive for more information. (I’ll just briefly mention that this Drive update triggered a large sync on two Macs, but not on any Android or iOS devices.)

The Calendar package also had a vulnerability identified in security bulletin Synology SA 18:06 Calendar. Like the Drive vulnerability, it allows authenticated users to inject arbitrary web scripts and is rated “Moderate” by Synology. It’s version 2.1.1-0502 (or above) that includes the fix.

Synology also released DSM 6.1.5-1254 which includes a few security updates along with minor enhancements and some bug fixes.

News

For businesses needing a lot of storage, in a rack-mountable form factor, Synology has released the Synology RS218RP+ NAS. It’s a 3U RackStation with 16 drive bays, expandable to 28 bays.

Synology Releases DSM 6.1.5-1254

Update key on a keyboardSynology has released a new update for its DiskStation Manager 6.1 software. Version 6.1.5-1524 was officially released back on February 1st. After the problems with the December DSM updates, the rollout of this one was much slower. I started testing it back on February 2, 2018, and have not had any problems since. It does include some security updates, but like most “dot releases” it doesn’t contain any essential changes. (Well, if you’re affected by one of the fixes then it would be necessary for you.)

Changes include:

What’s New in DSM 6.1.5

  1. Added support for editing permissions to multiple groups and users to a single folder or file simultaneously in File Station.
  2. Added Seagate IronWolf Health Management (IHM) support on DS118, DS218play, DS418j, DS418 and DS218.

Fixed Issues

  1. Fixed an issue where the system may make a false alarm about hot spare disks when upgrading SHA.
  2. Fixed a domain issue by allowing Synology NAS to join an existing domain with an ASCII password.
  3. Enhanced system efficiency in calculating a large number of user and group privilege settings.
  4. Enhanced SSD cache reliability.
  5. Fixed the issue where setting notifications for low volume capacity is not available on 1-bay models.
  6. Fixed an issue where converting a single volume to support multiple volumes may be misidentified as a crashed volume.
  7. Fixed an issue where users may not be able to collapse and expand fieldsets on an SSD cache webpage with Safari 11 browser.
  8. Fixed a security vulnerability regarding Linux kernel (CVE-2017-16939).
  9. Fixed a security vulnerability regarding Samba (Synology-SA-17:72).

Synology Drive vs Cloud Station

Graphic showing devices connected to the cloudSynology Drive is one of Synology’s newest packages for DiskStation Manager (DSM). While it doesn’t match the features of Cloud Station it does physically replace it, at least on the DiskStation itself. There are significant differences between Drive and CloudStation. Whether the changes with Drive are good or depends on your needs, but there are a few differences that aren’t readily apparent until you have made the switch.

Once the DiskStation is upgraded to Drive there’s no going back to Cloud Station. (At least not in a way supported by Synology and that will keep all data and settings.)

When you install Drive on your Synology NAS it will replace Cloud Station on the NAS. All settings will be migrated from Cloud Station to Drive except for shared links which will not be migrated. The directory name is changed to “Drive.” The name change applies to the default Cloud Station folder in the home directories.

My Cloud Station to Drive Upgrades

For me, the server settings migration was flawless over several tests and for several production DiskStations. As already mentioned, no downgrade is supported.

PC and Mac clients are automatically notified that an upgrade is available through an icon in the menu bar. None of my clients upgraded automatically, although this may be due to my security settings as Synology documentation says the upgrade is automatic. Even when the update was triggered by me, the results have been mixed.

In cases where I set up a test environment and did the upgrade, without actually using Cloud Station over time, things went well. But then it was downhill. No major issues, just some things to be prepared for and allow time to straighten things out.

I’ll also point out that I didn’t do any of the upgrades (including on the NAS) until I was sure all the clients had a chance to update. I would recommend this as much as possible although it may be difficult in many cases. In my case, it was worth the effort since I wanted to eliminate discrepancies as a source of any problems.

I only updated one Windows PC (other than my testing). All my settings were migrated, but it did trigger a full sync which took some time since I don’t exclude many directories from sync. I also found that I should have waited before continuing to my next computer which also triggered a sync. I ended up with a considerable number of sync conflicts. As I previously mentioned, I knew all my files were in sync when I began so it was easy enough to delete any file with “_conflict” in the name without worrying about which was the most recent file.

At this point, I upgraded my remaining devices one at a time and waited for the sync (if one started) to end before moving on.

My first Mac OS High Sierra update failed. The upgrade wizard error out during the upgrade. When I ran the installation a second time, it ran the new install wizard, and I had to pick the settings I wanted manually. I used the new default “Drive” as the directory name and moved all the files from Cloud Station into it. In retrospect, I should have kept the old directory, which is what would have been done if the upgrade had worked. In this case, a full sync was also triggered.

The Drive upgrade on my second Mac OS Hight Sierra PC went as expected once I kicked it off manually. I breathed a sigh of relief at this since this computer a lot of Hazel scripts that move files around in these directories. I didn’t have to change any scripts. It did kick off a sync, at least based on the notifications, although few if any files were actually copied.

While Drive and Cloud Station clients cannot coexist on a PC, then do just fine together on Android or iOS. This is a good thing since there are significant differences in their capabilities. Personally, I’ve been using Cloud Station more than drive on my phones and iPad.

Major Differences & Drive Drawbacks

Some of the significant differences and drawbacks are:

  • Synology Drive mobile apps do not sync files locally to the mobile device. To access your data using Drive on Android or iOS you must have a connection back to the Synology NAS. It will open the file directly from the NAS. (Windows and Mac Drive clients still sync files.)
  • If you use Synology Office and want to run the latest version, you’ll need to upgrade to Drive. Mobile devices have very limited support for Synology Office files. Synology Drive can view the files but can’t edit or create them. To view them on mobile you do need a connection back to the Synology NAS, just like any other file in Drive.
  • Synology Drive does provide a web interface which some people may find useful. It’s also how you create, edit and manage Synology Office documents.

Summary

Synology Drive looks and feels more modern than Synology Cloud Station, but in many respects, it’s a step back. On the NAS and PCs, it continues to function as well as Cloud Station without any loss of functionality. It completely falls apart on the mobile device.

I still use Cloud Station everywhere mobile. Even with a connection back to my NAS, I don’t want to waste mobile data opening files. At least with Cloud Station, I can sync them when I’m local to the NAS and access remotely. While WiFi is more ubiquitous these days, I don’t want to have to count on it. So for me, it’s still Could Station on Android and iOS, although I still have Drive installed so I can try it out even now and then.

Synology Office is now part of Drive which does make things simpler. However, Office still lacks too many features for me even to consider using it regularly. If I’m forced to say something nice about it I’d say it’s now a lot less buggy. The lack of mobile support (view-only does not equal mobile support for me) is a show stopper for me no matter how good the app itself becomes. On the other hand, view-only is precisely what some people need. If the limited feature set works for you, then Synology Office isn’t a bad choice. It used to be that the bugs kept me away even when it met my needs. Even so, I’m not going to split my documents between two office suites.

Synology Security Updates for January 2018

Security related words graphicThe big security news for the month was the Meltdown and Spectre vulnerabilities. Synology has yet to release an update that addresses these vulnerabilities, which in retrospect, is a good thing. The update released by Intel (to be used by all their OEMs) has had problems, and Intel has withdrawn the update and Microsoft has provided tools to disable the update.

Synology last updated their Meltdown/Spectre security bulletin back on January 9th. At this point, it only lists the Synology products that are affected.

There were two additional security bulletins released in January. Both identify vulnerabilities that have been resolved in package updates.

A Photo Station vulnerability is addressed in Synology Security Bulletin SA-18:02. If you use Photo Station 6.8, then update to 6.8.3-3463 or above. If you use Photo Station 6.3, you should upgrade to 6.3-2971 or above.

A Note Station vulnerability was addressed in Synology Security Bulletin SA-18:03 and is fixed by upgrading to 2.5.1-0844 or above.

Synology Response to Meltdown and Spectre

Security related words graphicYou’ve probably already read about the widespread Meltdown and Spectre CPU exploits. There’s been a lot of incomplete or incorrect information about the vulnerabilities. Initial reports indicated it was just Intel CPUs that were affected which isn’t accurate. AMD and ARM chips are also affected. Most CPUs are impacted although a few low-end CPUs avoid the problems. For example, Raspberry Pi’s aren’t affected because they wanted simple, cheap CPUs and the Raspberry Pi maker’s didn’t license the additional features the would have been vulnerable since they didn’t need them.

I short, the vulnerability takes advantage of the things modern CPUs do to enhance performance, such a caching (in the CPU, not disk caching) and speculative execution. This article uses a simple analogy to explain some of the vulnerability.

Unfortunately, the fastest and most secure way to patch the vulnerability is to use blunt force to turn off the performance enhancements that enable the vulnerability. While it does depend on your specific use, this can have a severe impact on performance. Over time these blunt force patches can be scaled back, and targeted fixes can replace them. These targeted fixed require changes to the hardware (or at least hardware firmware), operating systems, and in some cases, individual applications.

Synology has released a security bulletin which identifies the impacted NAS and router models, which is most of them. Not all the affected models are Intel-based. The vulnerability appears with DSM 5.2, DSM 6.0 and DSM 6.1. (I imagine DSM 6.2 beta is also impacted). VisualStation is also affected.

Currently, no patches or other mitigations are available. Synology will impact their security bulletin as things change. Refer to security bulletin SA-18-01 for current details.

Two Synology Security Bulletins To Finish Off 2017

Security related words graphicSynology released two security bulletins to finish off the year. I recapped the security bulletins issued earlier in December here.

Both new bulletins were related to MailPlus. Servers and clients are all impacted. You’ll want to be sure you’re on one of the following versions.

  • MailPlus Server – Version 1.4.0-0415 or above
  • MailPlus – Version 1.4.1-0742 or above.
  • Android MailPlus – Version 1.6.1 or above.
  • iOS MailPlus – still pending

Synology Security Bulletin SA-17:81 addresses a cross-site scripting vulnerability in MailPlus Server.

Synology Security Bulletin SA-17:82 addresses the collection of bugs know as Mailsploit.

Synology Router Manager Updates

Update key on a keyboard

Synology released two router updates recently. The first was back on December 19th which was re-packed and re-released on December 26th to fix a bug introduced in the update. The second was released December 26th and included a few updates in addition to fixing the bug they introduced on December 19th.

The December 19th update, SRM Version 1.1.6-6931 broke the LAN 1 port on the RT2600ac router. All I lost was time since it is the only port I use (to connect to a switch) and I could just move to another one. I can also report that the December 26th update does fix the problem and I’m now back on LAN 1. While I would not have expected a firmware update to break just one LAN port checking ports is early in the troubleshooting process and easy to do. In retrospect, it’s less surprising since the port can do double duty as a second WAN port.

SRM version 1.1.6-6931

Released December 19th (re-packed December 26th) and contains the following changes and fixes.

Just under two weeks ago Synology released a DSM update that had to be pulled back to be fixed, and they needed a follow-up update to fix what it broke. Now an SRM update breaks a LAN port. While relatively minor, it required troubleshooting and the back-to-back problems are a concern.

What’s New

  1. GMP snooping for Wi-Fi interface is now enabled by default.
  2. 2.4 GHz Wi-Fi can now be implemented with a channel bandwidth of 40 MHz.
  3. Updated GeoIP and URL Blocker databases.
  4. Improved CPS (connection per second) with CTF enabled on an RT1900ac.
  5. Added support for IPv6 6rd.

Fixed Issues

  1. Fixed an issue where the settings of Internet Allowed Time in Parental Control could not be restored.
  2. Fixed an issue where SSL VPN might return a 403 forbidden page when the Prevention mode is enabled in IPS.
  3. Fixed an issue where SRM might fail to access the Internet when the the VPN service provider’s ID contains a colon (:).
  4. Fixed an issue where a client device might fail to connect to Wi-Fi with the WPS PIN code.
  5. Fixed an issue where an error message might display when the SSID contains non-alphanumerics and is longer than 32 characters.
  6. Fixed an issue where traffic reports might fail to be generated when an external storage is removed.
  7. Fixed an issue where a user could not select the proper channel for 2.4 GHz Wi-Fi after a change in country/region.
  8. Fixed an issue where NAT-related rules might to be in effect for the secondary WAN interface upon its lack of gateway information.
  9. Fxed an issue regarding user’s interface operation on Safari 11.
  10. Fixed an issue where the access to Internet using PPPoE might fail after Synology Router restarts.
  11. Fixed an issue where SRM might not work properly when a client device is connected through 802.11b/g.
  12. Fixed an issue of wrong time zone for Turkey.
  13. Fixed an issue where Synology Router might restart unexpectedly.
  14. Fixed an issue where SRM might not work properly with a certain LTE dongle.
  15. Fixed an issue where Traffic Control might not work properly when Layer 7 monitor is enabled and a packet length is more than 16,834 bits.

Security Updates

  1. Fixed a security vulnerability regarding Linux kernel (CVE-2017-16939).
  2. Fixed a security vulnerability (Synology-SA-17:79).

SRM Version 1.1.6-6931-1

Released December 26th and contains the following fixes.

  1. Fixed an issue where SRM web-based interface might not be accessible via QuickConnect.
  2. Fixed an issue where SRM might fail to access the Internet after Synology Router is reset to default.
  3. Fixed an issue where LAN 1 might not work properly on RT2600ac
  4. Fixed an issue where SRM might not work properly when a PPTP connection is established via WAN port.

Synology Security Bulletins for December

Security related words graphicSynology has released six security bulletins in December. Synology classified all of them as moderate.

Two of them apply to Photo Station so you’ll want to make sure you’re on Photo Station version 6.8.0-3461 or above. At this time version 6.8.0-3461 is the current version. Synology Security Bulletin SA-17:76 identifies a problem that allows remote users to access sensitive information. Synology Security Bulletin SA-17:80 identifies an issue that allows a remote user to inject arbitrary code into Photo Station.

Users of Surveillance Station 8.1 will want to update to version 8.1.2-5469 or above to address the vulnerability identified in Synology Security Bulletin SA-17:77. At this time version, 8.1.2-5469 is the current version of Surveillance Station.

MailPlus Server is vulnerable to remote authenticated users injecting code. This is described in Synology Security Bulletin SA-17:75 and affects MailPlus Server before version 1.4.0-0415 which is the current version at this time.

Chat is vulnerable to remote authenticated users assessing intranet resources or injecting code as described in Synology Security Bulletin SA-17:78. This is fixed in version 2.0.0-1124.

Synology Router Manager could also allow remote authenticated users to execute arbitrary code as described in Synology Security Bulletin SA-17:79. It is fixed in version 1.1.6-6931. (SRM is the OS for Synology’s router models.)

Hopefully, there won’t be any security related updates this year, and we can enjoy a quiet holiday.

DiskStation Manager Version: 6.1.4-15217-5 Released

Update key on a keyboardSynology has released DiskStation Manager Version: 6.1.4-15217-5 (aka DSM 6.1.4-1517 Update 5). This update follows up on last week’s confusing releases. If like me, you installed the repacked Update 3 rather than the original problem version then you’ll skip right over Update 4.

Update 5 contains only one fix and can be safely put off unless you have the problem and need it fixed. While no update is guaranteed to be 100% safe, updates don’t get much safer than this one.

The only fix is to resolve an issue where the scan results of Security Advisor may not be correct.

DSM 6.1 Updated Twice (Kind of)

Update key on a keyboardSynology released two updates to DiskStation Manager last week, but quickly pulled the first one back.

First Synology released version 6.1.4-15217 Update 3. I woke Wednesday morning to the notification that there was a new version of DSM to install. It had vanished by the time I sat down to check it out. The release notes listed it, but it was nowhere to be found. A quick check of the forums showed a couple of people complaining about LUN issues after the update. Synology never comments about pulling back updates, so there’s no official word, but Synology pulled it back for some reason.

By Friday Synology had re-released update 3 and also released an Update 4. As of today, update 4 is not being offered to me on either of my own NAS’s.

The release notes only add to the confusion. According to the release notes update 3 was released Friday (12/15) while update 4 was released the day before. Synology may have tweaked update 3 after they pulled it back. The file dates on the Synology download directory are all 12/13 with update 4 having a slightly earlier timestamp. The logs on my NAS confirm that an update was available to me when I woke the morning of 12/13.

I usually try to get updates installed as soon as practical but the problems with this one (Synology did pull it back, so it’s more than the usual background noise of complainers) and the time of year make me recommend careful consideration before updating. Unless the update fixes a specific problem you’re experiencing I’d suggest holding off until a less stressful time for you. If you do have LUNs configured, I’d recommend waiting until you have plenty of time to troubleshoot and handle the worst case scenario, a full re-install and restore. Things will be sorted out over the next week. If the week before Christmas and New Year’s Day is slow, it would be an excellent time to do the upgrade. While you should always have known good backups, it would be a good time to verify the quality of those backups.

There are a few security patches in this update (in OpenSSL) although there doesn’t seem to be any active exploits against them (although it’s only a matter of time).

And finally, before I list the fixes, I successfully installed Update 3 on a DS1815+ and a DS1511+ without any issues. Neither one has LUNs configured. Also, neither one has been offered Update 4 as an available update. Assuming Update 3 was re-released, I would have installed the newest release and not the original release.

While not confirmed by Synology, it appears they recompiled (aka repacked) the original update 3 to fix the issue and pushed it out. Update 4 was released to fix the problem on any NAS that installed the initial, buggy update 3 and is not needed for the repacked update 3.

DSM Version 6.1.4-15217-3 (aka Update 3) contains the following fixes and will reboot the NAS when installed.

Fixed Issues

  1. This update is a repack to fix the iSCSI issues.
  2. Fixed multiple security vulnerabilities pertaining to OpenSSL (CVE-2017-3735, CVE-2017-3736, CVE-2017-3737, CVE-2017-3738).
  3. Enhanced the stability of the Apollo Lake platform BIOS.
  4. Fixed an issue with abnormal transfer rates for LUNs when backing up to an external storage device.
  5. Fixed an issue where DSM may shutdown incorrectly when iSCSI Block LUN services are overloaded.
  6. Improved the error handling mechanism for the SSD cache when volumes crash.
  7. Enhanced the stability of the upgrade process for SHA clusters.
  8. Enhanced volume expansion process stability after an improper shutdown.
  9. Enhanced system efficiency for calculating large numbers of user and group privilege settings.
  10. Fixed an issue where Microsoft Office documents may fail to save when Windows 10 Fall Creators Update is installed.

DSM Version 6.1.4-15217-4 (aka Update 4) contains the following fixes and will reboot the NAS when installed.

Fixed Issues

  1. Fixed an issue where Block LUNs cannot be enabled after upgrading to DSM 6.1.4-15217-3.
  2. Fixed an issue where Advanced LUNs larger than 2TB cannot be mapped to Targets after upgrading to DSM 6.1.4-15217-3.