Synology DSM DSM 6.1.4-15217 Update 1 Released

Time to Update on clock faceSynology has released DiskStation Manager Disk 6.1.4-15217-1. There’s only one fix and it’s not security related so there’s no rush unless you use PPoE and have encountered the issue. The update does not require a reboot.

The release notes contained one item.

  1. Fixed an issue where PPPoE cannot be displayed properly in Control Panel.

Synology Releases DSM 6.1.4-15217

Time to Update on clock faceSynology has updated DSM 6.1 to version 6.1.4-15217 with 22 itemized updates and fixes. This bumps the release from “.3” to “.4” after eight updates to the initial .3 release which was released in July. Several of these are fixes patch security vulnerabilities so the update should be applied as soon as practical. I’ve applied the update to both DS1815+ and DS1511+ models without any issues. The update does immediately restart the NAS so plan accordingly.

Version: 6.1.4-15217

(2017-11-06)

What’s New in DSM 6.1.4

  1. Adjusted the threshold of remaining storage capacity warning to 10%.
  2. Support 12TB IronWolf and IronWolf Pro drives with IHM.
  3. Users with ACL permissions set as “administration” can edit shared folders in File Station.

Fixed Issues

  1. Enhanced the compatibility of USB on certain models.
  2. Enhanced the compatibility of SAS drives on certain models.
  3. Fixed an issue where the response of user interface might slow down when using hotspares under certain circumstances.
  4. Fixed user interface display issues to enhance the usability of Resource Monitor.
  5. Fixed an issue where DSM mobile might not work properly on devices running Android 8.0.
  6. Fixed an issue where administrator might not be able to log in DSM after removing clients from trusted client list.
  7. Enhanced file system stability by backporting Kernel updates.
  8. Enhanced the stability of RAID 5, RAID 6, RAID F1, and SHR.
  9. Enhanced the compatibility of Windows AD and NFS protocol.
  10. Fixed an issue where RAID Resync might slow down when creating or deleting multiple volumes.
  11. Fixed an issue where users might be logged out or shared folders of mounted via AFP might be disconnected when changing permissions.
  12. Fixed an issue where the background of login panel might be blurry when accessing DSM on Chrome browser.
  13. Fixed an issue where users might not be able to collapse and expand nested sections on DSM webpage when using Safari 11 browser.
  14. Fixed search results filters of File Station, AFP and SMB to ensure that users can only find files with read permissions in their search results.
  15. Fixed multiple security vulnerabilities regarding Linux kernel (CVE-2017-10661, CVE-2017-10662, CVE-2017-10663).
  16. Fixed a security vulnerability regarding Samba (CVE-2017-11103).
  17. Fixed multiple security vulnerabilities regarding Wget (CVE-2017-6508, CVE-2017-13089, CVE-2017-13090).
  18. Fixed a security vulnerability regarding XSS (CWE-79).
  19. Fixed multiple security vulnerabilities regarding poppler library (CVE-2017-2820, CVE-2017-7511, CVE-2017-7515, CVE-2017-9408, CVE-2017-9775).

Synology Security Updates

Security related words graphicSynology has recently released three security bulletins for vulnerabilities in three different packages. All the updates mentioned are available now for DSM 6.1 along with the DSM 6.2 beta.

Download Station (Synology-SA-17:62 Important: Wget update)

From the security bulletin:

Multiple security vulnerabilities have been found in Wget, and may allow man-in-the-middle attackers to execute arbitrary codes, or cause denial-of-service attack from a vulnerable version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), and Download Station.

Update Download Station to 3.8.7-3490 or above in order to patch this vulnerability.

Photo Station (Synology-SA-17:63 Moderate: Photo Station update)

From the security bulletin:

Multiple security vulnerabilities have been found in Photo Station, and may allow remote attackers to read arbitrary files, or obtain sensitive system information from a vulnerable version of Synology Photo Station.

Update Photo Station to 6.8.1-3458 or above to patch this vulnerability.

CardDav (Synology-SA-17:64 Critical: CardDAV Server update)

From the security bulletin:

CVE-2017-15887 allows remote users to obtain system user accounts with brute-force attack from a vulnerable version of CardDAV Server.

Update CardDAV Server to 6.0.7-0085 or above to patch this vulnerability.

Synology Releases DSM 6.1.3-15152 Update 8

Security related words graphicSynology has released DiskStation Manager (DSM) 6.1.3–15152–8 to address the recently disclosed WPA/WPA2 vulnerabilities known as KRACK. If you have a wireless dongle attached or have one of the “air” models then this update is for you. If you don’t have wireless on your Synology NAS then there’s no rush to install this update as you aren’t vulnerable.

The update fixes multiple security vulnerabilities regarding WPA/WPA2 protocols for wireless connections (CVE–2017–13077, CVE–2017–13078, CVE–2017–13079, CVE–2017–13080, CVE–2017–13081, CVE–2017–13082, CVE–2017–13084, CVE–2017–13086, CVE–2017–13087, CVE–2017–13088).

Synology has also released an update for their routers.

Synology Routers Patched for KRACK

Security related words graphicSynology has released security updates for their routers which address the recently publicized vulnerabilities named KRACK. The firmware (SRM – Synology Router Manager) is version 1.1.5–6542–3. The SRM control panel lists it as “SRM 1.1.5–6542 Update 3”. I applied the update to my Synology RT2600ac router without an issue. The router does reboot so you’ll lose all wireless and internet connections during the reboot.

Fixes include:
* Fixed multiple security vulnerabilities regarding WPA/WPA2 protocols for wireless connections (CVE–2017–13077, CVE–2017–13078, CVE–2017–13079, CVE–2017–13080, CVE–2017–13081, CVE–2017–13082, CVE–2017–13084, CVE–2017–13086, CVE–2017–13087, CVE–2017–13088). (These are the KRACK vulnerabilities)
* Fixed multiple security vulnerabilities regarding Broadcom Wi-Fi chip (CVE–2017–11120, CVE–2017–11121).
* Fixed an issue where the channel 140 could not be selected in 20MHz on RT1900ac.
* Fixed an issue where the password might not be masked properly upon login failure.

Samba (Windows File Sharing) Vulnerability in Synology DSM and SRM

Security related words graphicSynology has released a security bulletin concerning vulnerabilities in Windows File Sharing (Samba) that affects DSM 6.1, DSM 6.0, DSM 5.2 and SRM 1.1. If your Synology NAS is accessible from the internet, or is on a network where you can’t trust every user who connects to the NAS then you should apply the mitigation. Fortunately the mitigation for the latest DSM version, DSM 6.1, is easy to implement and won’t affect usability unless you have really old software that connects to the Synology NAS.

In short, the mitigation is to disable Samba Version 1. Samba version 2 was released in 1999 and Samba version 3 was released in 2003 so version 1 should have been replaced long ago in any software that uses it. Although for compatibility most vendors have let Samba version 1 remain enabled. It’s time to kill off Samba version 1, especially since this is only one of many vulnerabilities.

The description of the vulnerabilities, from Synology’s security bulletin:

CVE–2017–12150
It was found that samba did not enforce “SMB signing” when certain configuration options were enabled. A remote attacker could launch a man-in-the-middle attack and retrieve information in plain-text.
CVE–2017–12151
A flaw was found in the way samba client used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.
CVE–2017–12163
An information leak flaw was found in the way SMB1 protocol was implemented by Samba. A malicious client could use this flaw to dump server memory contents to a file on the samba share or to a shared printer, though the exact area of server memory cannot be controlled by the attacker.

The mitigation for DSM 6.1 can be done through the DSM Control Panel: Go to Control Panel > File Service > SMB > Advanced Settings, and set Minimum SMB protocol as SMB2.

Mitigation on older DSM versions require more effort as does Synology Router Manager. Synology has also stated that they will release an update to DSM and SRM to address this vulnerability bit there’s no eta. DSM 6.1 Update 5, release the same day as the security bulleting, does not resolve this issue.

For DSM 6.0

  1. Go to Control Panel > Applications > Terminal & SNMP, and tick Enable SSH service.
  2. Log in to DSM via SSH as “admin” and execute the following command: sudo /usr/bin/sed -i ‘/min protocol/d’ /etc/samba/smb.conf && sudo sh -c “echo ‘min protocol=SMB2’ >> /etc/samba/smb.conf” && sudo /sbin/restart smbd

For DSM 5.2

  1. Go to Control Panel > Applications > Terminal & SNMP and tick Enable SSH service.
  2. Log in to DSM via SSH as “root” and execute the following command:
    /bin/sed -i ‘/min protocol/d’ /usr/syno/etc/smb.conf && /bin/sed -i “/[global]/a min protocol=SMB2” /usr/syno/etc/smb.conf && /sbin/restart smbd

For SRM 1.1

  1. Go to Control Panel > Services > System Services and tick Enable SSH service.
  2. Log in to SRM via SSH as “root” and execute the following command:
    /bin/sed -i ‘/min protocol/d’ /usr/syno/etc/smb.conf && /bin/sed -i “/[global]/a min protocol=SMB2” /usr/syno/etc/smb.conf && /sbin/restart smbd

DSM 6.1.3-15152 Update 5 is Released

Time to Update on clock faceSynology released DSM 6.1.3–15152 Update 5 on September 25, 2017 which contains two bluetooth related security updates, in addition to fixing six other issues. If you don’t have a bluetooth dongle on your NAS the security vulnerabilities don’t affect you.

One of the fixes (#5 listed below) could impact you if QuickConnect is enabled since updates may not be verified. This is mitigated by the requirement that your update process would need to be re-directed to a malicious update server.

This update will immediately reboot the NAS when it is applied.

I have applied it to a DS1815+, DS716+, DS415+ and a DS1511+ without having any issues. The following fixes are included in the update according to Synology.

(Released 2017–09–25)
Important Note
* The update is expected to be available for all regions within the next few days, although the time of release in each region may vary slightly.
* This update will restart your Synology NAS.

Fixed Issues
1. Enhanced monitor mechanism of drive temperatures.
2. Enhanced compatibility of certain drives.
3. Improved the healing mechanism for possible cache device errors.
4. Enhanced file system stability by backporting Kernel updates.
5. Fixed an issue where DSM might not check updates properly when QuickConnect is enabled.
6. Enhanced the stability of DSM startup.
7. Fixed a security vulnerability regarding Bluetooth dongle (CVE–2017–1000250).
8. Fixed a security vulnerability regarding Linux kernel (CVE–2017–1000251). This is sometimes referred to as the Blueborne vulnerability.

Critical DSM Update: DSM 6.1.3-15152-4

Synology has released an update to it’s DSM software. DSM 6.1.3–15152 Update 4 fixes some bugs that could cause data lose in some specific situations. If you use the new Btrfs file or have less than three hard drives installed then the data loss bug won’t affect you, although you should still apply the update as it contains other bug fixes.

If your NAS meets the following criteria then you’ll want to take additional steps after installing the update:
* The server is using RAID 5, RAID 6, RAID F1, or SHR with more than 3 disks.
* The volume is created on EXT4 file system.
* The server is running on DSM 6.0.2–8451 and above.

If your NAS meets the above criteria, or you just want to be safe, you’ll need to do RAID scrubbing after the update. RAID scrubbing may take several hours depending on the volume or disk group size. You can use the NAS normally, although performance may be impacted. Don’t turn off your NAS until scrubbing finished.

To start RAID scrubbing, open Storage Manager and select either Disk Group or Volume depending on your NAS configuration. (If you have disk groups available then do the scrubbing from there.) Then select Manage and run the Wizard for RAID scrubbing.

Click Manage to start the wizard
Select Performa RAID Scrubbing and run the wizard

Synology has said that the following NAS models should upgrade as soon as possible as they are potentially affected by this bug.

17 series: RS18017xs+, RS4017xs+, RS3617xs+, RS3617xs, RS3617RPxs, DS3617xs, DS1817+, DS1817, DS1517+, DS1517

16 series: RS18016xs+, RS2416+, RS2416RP+, RS816, DS916+, DS716+II, DS716+, DS416play, DS416slim, DS416j, DS416

15 series: RS815+, RS815RP+, RS815, RC18015xs+, DS3615xs, DS2415+, DS2015xs, DS1815+, DS1515+, DS1515, DS715, DS415+, DS415play

14 series: RS3614xs+, RS3614xs, RS3614RPxs, RS2414+, RS2414RP+, RS814+, RS814RP+, RS814, RS214, DS414slim, DS414j, DS414

13 series: RS10613xs+, RS3413xs+, DS2413+, DS1813+, DS1513+, DS713+, DS413j, DS413

12 series: RS3412xs, RS3412RPxs, RS2212+, RS2212RP+, RS812+, RS812RP+, RS812, DS3612xs, DS1812+, DS1512+, DS712+, DS412+

11 series: RS3411xs, RS3411RPxs, RS2211+, RS2211RP+, RS411, DS3611xs, DS2411+, DS1511+, DS411+II, DS411+, DS411slim, DS411j, DS411

Synology described the bug in an email by writing:

The issue was brought to our attention a few weeks ago when the NAS communities discussed the potential data integrity threat that may occur after a RAID 5 repair. In-house investigation revealed the issue stems from Linux feature known as skip_copy. This open source feature contains a slight design fault that may lead to potential data corruption after a RAID array is repaired from degrade mode. Synology team moved quickly to identify and reproduce the issue, which is resolved in the latest DSM 6.1.3 update.

The update fixes additional issues so it is appropriate for many models not affected with the data integrity bug. The complete list of fixes is:

  1. Fixed HDD hibernation issues to enhance HDD compatibility.
  2. Enhanced overall stability of iSCSI services.
  3. Fixed compatibility issues with VMware environments.
  4. Fixed multiple security vulnerabilities regarding Linux Kernel (CVE–2017–7533, CVE–2017–10661, CVE–2017–10662, CVE–2017–10663).
  5. Enhanced the stability of RAID 5, RAID 6, RAID F1, & SHR.

Synology Releases DiskStation DS418j

New product posting tileSynology has released a new NAS, the DS418j. The J series comprise Synology’s entry level NAS models in which this is the flagship model. The DS418j contains four drive bays and can accommodate up to 40 TB with todays largest capacity drives. The DS418J does not support the new BTRFS file system.

Two camera licenses are included for Surveillance Station and 5 VPN connections are supported by the VPN Server package.

The DS418j is currently available in the U.S. from Amazon.com from 3rd party sellers that are currently charging a premium. Amazon itself has it listed for a significantly lower price ($299) than the 3rd party sellers but it is out of stock. It can be backordered to get the $299 price. NewEgg has it in stock for $299 with free shipping.

The DS416J is still available and at a reduced price (at least it should be reduced. This link will compare the models (it may break when the DS416j is officially discontinued).