Synology Response to Meltdown and Spectre

Synology News

Security related words graphicYou’ve probably already read about the widespread Meltdown and Spectre CPU exploits. There’s been a lot of incomplete or incorrect information about the vulnerabilities. Initial reports indicated it was just Intel CPUs that were affected which isn’t accurate. AMD and ARM chips are also affected. Most CPUs are impacted although a few low-end CPUs avoid the problems. For example, Raspberry Pi’s aren’t affected because they wanted simple, cheap CPUs and the Raspberry Pi maker’s didn’t license the additional features the would have been vulnerable since they didn’t need them.

In short, the vulnerability takes advantage of the things modern CPUs do to enhance performance, such a caching (in the CPU, not disk caching) and speculative execution. This article uses a simple analogy to explain some of the vulnerability.

Unfortunately, the fastest and most secure way to patch the vulnerability is to use blunt force to turn off the performance enhancements that enable the vulnerability. While it does depend on your specific use, this can have a severe impact on performance. Over time these blunt force patches can be scaled back, and targeted fixes can replace them. These targeted fixed require changes to the hardware (or at least hardware firmware), operating systems, and in some cases, individual applications.

Synology has released a security bulletin which identifies the impacted NAS and router models, which is most of them. Not all the affected models are Intel-based. The vulnerability appears with DSM 5.2, DSM 6.0 and DSM 6.1. (I imagine DSM 6.2 beta is also impacted). VisualStation is also affected.

Currently, no patches or other mitigations are available. Synology will impact their security bulletin as things change. Refer to security bulletin SA-18-01 for current details.

0 comments… add one

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.