Synology News & Security Recap – May 31, 2018

Synology News

Synology News tileThe big Synology news in May was the release of DiskStation Manager 6.2 (DSM 6.2). Data protection and enterprise features were the primary focus of this update. The user interfaces for several system features (such as storage manager and package manager) also received facelifts and streamlining. Here’s the press release. I wrote about the release here.

Security Bulletins

PHP has a vulnerability that allows a remote attacker to execute arbitrary code. Synology has given this their highest severity rating. It affects PHP 5.2, PHP 5.6 and PHP 7.0. A fix for this vulnerability is not yet available from Synology. Full details are in Synology Security Bulletin SA-18:20 PHP. Refer to the bulletin for contact information if you need immediate assistance.

DiskStation Manager (DSM) has a security vulnerability introduced by a flaw in the Linux kernel. The vulnerability is currently unresolved. This has the highest severity rating (Important) on DSM 6.1 with a Moderate severity rating on other DSM versions. Refer to Synology Security Bulletin SA-18:21 Linux Kernel for a complete list of models and DSM versions affected.

Synology released Synology Security Bulletin SA-18:22 EFAIL to let us know that their products are not affected by the EFAIL vulnerability which affects some email clients.

The Spectre related CPU vulnerabilities continue to expand. Synology released Synology Security Bulletin SA-18:23 Speculative Store Bypass to track the latest Spectre related vulnerability. Synology rates the vulnerability as moderate, and it affects all DSM versions. Refer to the security bulletin to see if your NAS model uses an affected CPU. There is no current mitigation.

DiskStation Manager has a vulnerability that allows remote authenticated users to execute arbitrary code, or set a new password without verification. Synology rates this as Important, although since it does require user authentication, you may be less concerned, depending on how much you trust your users. This is covered in Synology Security Bulletin SA-18:24 DSM. While it is listed as resolved, the resolution is to upgrade to DSM 6.2 which you may not be ready to do. DSM 5.2, 6.0 and 6.1 are all affected.

Synology Router Manager has a vulnerability rated as Moderate. This allows a remote attacker to inject arbitrary scripts or HTML code. The resolution is to upgrade to SRM 1.1.7-6940 or above. See Synology Security Bulletin SA-18:25 SRM for more information.

DiskStation Manager has a second vulnerability that allows remote users to inject arbitrary web scripts or HTML. This doesn’t affect the newly released DSM 6.2 and is rated as a moderately severe for other DSM versions. Older versions of DSM can be upgraded to DSM 6.1.4-15217-3 or above. The only mitigation for DSM 5.2 and 6.0 is to update to DSM 6.1.4-15217-3 or above. This is also the only patch option for DSM 5.2 and DSM 6.0. Full details are in Synology Security Bulletin SA-18:26 DSM.

Universal Search has a vulnerability that’s rated as Moderate. Authenticated users can bypass permission checks to access directories. Universal Search is installed via Package Center, although it is automatically installed and run. It can’t be disabled. To resolve the vulnerability use Package Center to update the package to version 1.0.5-0135 or above. Full details are in Synology Security Bulletin SA-18:27 Universal Search.

The SSO Server package has a vulnerability rated as Important, which is the most severe rating. It allows remote attackers to conduct clickjacking attacks. If you use the SSO Server package, you should upgrade to version 2.1.3-0129 or above. Full details are in Synology Security Bulletin SA-18:28 SSO Server.

DiskStation Manager (DSM) and Synology Router Manager (SRM) Updates

DSM 6.1.7-15284 was released concurrently with DSM 6.2 and includes needed security patches for those of us not immediately upgrading to DSM 6.2. The full list of fixes includes:

  • Improve stability of Docker when using Btrfs under low memory configurations
  • Improved stability of the snapshot replication feature
  • Enhanced stability of MCS in Windows environments
  • Fixed an issue where a file’s Last Opened Date may be incorrect when using Spotlight
  • Fixed an issue where enabling SSD Trim may cause file services failure in a high-availability cluster
  • Fixed an issue fan where changes to speed settings do not apply immediately in a high-availability cluster
  • Fixed a security vulnerability regarding Wget (CVE-2018-0494)
  • Fixed a security vulnerability regarding PostgreSQL (CVE-2018-1058)
  • Fixed a security vulnerability regarding Linux kernel (Synology-SA-18:21, CVE-2018-1000199).

SRM 1.1.7-6941 was released. It contains much more than the previously mentioned security fix. The complete list is:

What’s New

  • Added support for IPv6 relay
  • Added support for IPv6 DS-Lite
  • Added support for FLET’s IPv6 service in Japan
  • Added support for subnet mask configuration for guest network
  • Updated Privacy Statement and adjusted related settings

Fixed Issues

  • Fixed an issue where Traffic Control might not work properly on 3G/LTE interface
  • Fixed an issue where channel selection for 2.4GHz band might not be available with 40MHz bandwidth
  • Fixed an issue where PPPoE might not work properly with certain ISPs

Security Updates

  • Fixed a security vulnerability regarding PostgreSQL (CVE-2018-1058)
  • Fixed a security vulnerability (Synology-SA-18:25)
  • Fixed multiple security vulnerabilities regarding Linux kernel (CVE-2017-15649, CVE-2018-1000199)
  • Fixed a security vulnerability regarding DHCP (CVE-2018-5732)
  • Fixed a security vulnerability regarding 7-Zip (CVE-2017-17969)

Synology News

Synology has released a new NAS model, the DS1618+. It has six internal drive bays and is expandable to 16 drives with two optional expansion units. Synology says this is their “fastest Plus series NAS ever.”

0 comments… add one

Leave a Comment