There were a couple of security bulletins during the first half of March, which I recapped here. The last half of March brought nine additional security bulletins and a security-focused update to DSM.
With these bulletins, I noticed Synology stopped doing security updates for DSM 6.0 and DSM 5.2. Their patch for these older releases is to upgrade to the latest 6.1 release. I don’t run any of these older versions, so this may have happened long ago and I never noticed.
File Station has a moderate code injection vulnerability that is resolved by upgrading to version 1.1.4-0122 or above. The security bulletin is Synology-SA-18:09 File Station.
CardDAV Server has a moderate code injection vulnerability that is resolved by upgrading to version 6.0.8-0086 or above. The security bulletin is Synology-SA-18:10 CardDAV Server.
Drive has a moderate code injection vulnerability that is resolved by upgrading to version 1.0.2-10275 or above. The security bulletin is Synology-SA-18:11 Drive.
Office has a moderate code injection vulnerability that is resolved by upgrading to version 3.0.3-2143 or above.The security bulletin is Synology-SA-18:12 Office.
NTP has a moderate vulnerability that allows association attacks. NTP is part of the OS (DSM/SRM) for all Synology hardware, so an OS update is required to patch this issue. An update is available for all Synology hardware except the VS960HD. DSM versions must be updated to 6.1.6-15266 or above to resolve the issue. SRM versions must be updated to 1.1.6-6931-3 or above to resolve the issue. Full details are in the Synology-SA-18:13 NTP security bulletin.
DiskStation Manager itself has multiple vulnerabilities that rate an “Important” rating (the highest Synology assigns) since they could allow credentials to be stolen. Upgrade DSM to version 6.1.6-15266 or above in order to patch these vulnerabilities. The security bulletin is Synology-SA-18:14 DSM.
Photo Station has an important (Synology’s highest rating) vulnerability that can allow a remote attacker to hijack administrator authentication. If you run Photo Station 6.8 then upgrade to 6.8.5-3471 or above. If you run Photo Station 6.3 then upgrade to 6.3-2975 or above. The security bulletin is Synology-SA-18:15 Photo Station.
Calendar has a moderate vulnerability that is patched by upgrading to 2.1.2-0511 or above. An attacker can create arbitrary events in the calendar. The security bulletin is Synology-SA-18:16 Calendar.
Drupal has an important (Synology’s highest rating) vulnerability that allows remote attackers to execute arbitrary code. This one is extremely severe since the Drupal community expected immediate exploits using this vulnerability once it was announced. If you run Drupal on Synology refer to the bulletin. As I write this, there is no mitigation from Synology other than to contact them, which you should do immediately. The security bulletin is Synology-SA-18:17 Drupal.
DiskStation Manager (DSM) Updates
DiskStation Manager (DSM) was updated to version 6.1.6-15266 on March 27, 2018. It does require a reboot. While not exclusively security related, the fixed issues list is heavy on security fixes so you should apply the update as soon as possible.
- Fixed an issue where iSCSI service may stop under windows cluster environment.
- Fixed an issue where the history record of Resource Monitor may not be updated.
- Fixed an issue where Korean files may not be read by HFS+.
- Fixed a security vulnerability regarding p7zip (CVE-2017-17969).
- Fixed multiple security vulnerabilities regarding NTP (Synology-SA-18:13).
- Fixed multiple security vulnerabilities regarding Linux kernel (CVE-2017-15649, CVE-2017-17712).
- Fixed a security vulnerability regarding isc-dhcp (CVE-2018-5732).
- Fixed multiple security vulnerabilities regarding Samba (Synology-SA-18:08).
- Fixed multiple vulnerabilities (Synology-SA-18:14).
Other Synology News
March also saw Synology make their C2 Backup service available to users worldwide. I’ve begun to use it here in the United States. My current experience, and what I learned so far are in my Synology C2 Overview, Setting up Synology C2 Backup and the Synology C2 Web Management articles.
Synology also released new hardware. The RS2418+/RS2418RP+ models start at about $1,700 and are targeted to small and medium businesses. They are 2U rack-mountable units. The RP model has redundant power supplies. Synology’s press release is here.