Recent Synology Security Updates

Synology News

Security related words graphicDSM Updates

Synology released DSM version 6.1.4-15217-2 only ten days after version 6.1.4-15217-1. There was only one update listed in the release notes. Multiple security vulnerabilities were fixed in Samba. These were identified in Synology security bulletin SA-17:72.

Synology Security Bulletin SA-17:74 identifies a vulnerability that local users can exploit that affects DSM 6.0 and 6.1. It is fixed in DSM 6.1.4-15217 and above. No mention of a mitigation or update for DSM 6.0.

Synology Security Bulletin SA-17:65 identifies a vulnerability in DSM 5.2 (only). The fix is in 5.2-5967-5 and above.

Synology Security Bulletin SA-17:70 identifies a vulnerability in DSM 6.0 and 5.2. It is fixed in 6.0.3-8754-3 and above for the 6.0 branch along with 5.2-5967-6 and above for the DSM 5.2 branch. DSM 6.1 is not affected.

Package Updates

Synology Security Bulletin SA-17:66 identifies a critical security vulnerability in the Java8 package (OpenJDK). The vulnerabilities can be patched by updating Java8 to 8.0.151-0014 or above through Package Center.

Synology Security Bulletin SA-17:68 identifies a security vulnerability in Calendar. It is fixed in Calendar 2.0.1-0242 and above. Update Calendar through Package Center to fix the vulnerability.

Synology Security Bulletin SA-17:69 identifies a vulnerability in File Station. The fix is included in File Station 1.1.1-0099 and above.

Synology Security Bulletin SA-17:75 identifies a vulnerability in MailPlus the is fixed in MailPlus Server 1.4.0-0415 and above.

Hardware

Synology Security Bulletin SA-17:73 identifies a vulnerability in the Intel Trusted Execution Technology and the Intel Management Engine. (FYI: this also affects desktop and laptop computers that use the technology, of which there are many).

This is a hardware vulnerability so all DSM versions would be impacted. But the technology only started appearing in the 18-series of hardware. The only impacted hardware are the DS918+, DS718+, DS218+, and the DS418play. No fix is currently available although Synology says that administrative privilege is needed to exploit these vulnerabilities.

0 comments… add one

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.