August started off slow as far a Synology Security bulletins are concerned. By the end of the month, there were eleven security bulletins. The good news is that two of them were just to tell us that while the software was used, it was unaffected. The bad news is that the number of unresolved issues is growing. A dozen bulletins that were released this year still have an ongoing status. Nine of those open vulnerabilities were released in July and August.
Synology Security Bulletin SA-18:40 Synology Application Service addresses a moderate vulnerability in the Synology Application Service that allows authenticated remote users obtain “sensitive” information. It is resolved by updating to version 1.5.4-0320 or above.
Security Bulletins Synology Security Bulletin SA-18:41 Linux kernel and [Synology Security Bulletin SA-18:42 ISC Bind](https://www.synology.com/en-us/support/security/Synology_SA_18_41 “Jump to the security bulletin”) confirm that Synology software is not affected by these vulnerabilities, even though the software is used.
Synology Security Bulletin SA-18:43 MailPlus Server is rated as Important because it allows a remote denial-of-service attack against MailPlus Server. To patch the vulnerability upgrade to version 2.0.5-0606 or above.
Synology Security Bulletin SA-18:44 Linux Kernel addresses the FragmentSmack attack that can be used for a denial-of-service attack. Synology Router Manager (SRM) is not vulnerable thanks to being built on an older Linux Kernel. All version of DSM are vulnerable and not yet patched. According to the bulletin, the fix for DSM 6.1 and 5.2 will be to upgrade to DSM 6.2 once that version is patched. SkyNAS and VX960HD are also vulnerable and unpatched.
Synology Security Bulletin SA-18:45 L1 Terminal Fault is yet another Intel CPU vulnerability (aka ForeShadow Attack). This vulnerability is in DSM on models with an Intel chip. See the bulletin for a complete list. While rated as Moderate there’s a specific set of circumstances needed to exploit the vulnerability. The vulnerability allows one virtual machine to steal information from another virtual machine. So you’ll need to be running several VMs, at least one of which allows an untrusted person to install software on it (or be accessible of the internet). This is a significant issue for web hosts, less so for Synology owners. Like the previous bulletin, DSM 5.2 and DSM 6.1 will need to update to DSM 6.2 (once DSM 6.2 is patched).
Synology Security Bulletin SA-18:46: Internet Key Exchange V1 has an Important severity rating, which is the highest. It remains an ongoing issue, without resolution. It affects all version of DSM, SkyNAS and SRM 1.1. It also affects VPN Server and VPN Plus Server. Again, DSM 6.1 and 5.2 will require DSM 6.2 to get the fix. If you need immediate mitigation, refer to the Security Bulletin for Synology’s contact information.
Synology Security Bulletin SA-18:47 Samba affects Active Directory Server and Active Backup for Server. Currently, there is no mitigation.
Synology Security Bulletin SA-18:48 SRM announces a vulnerability that can be exploited by remote users. Upgrade to 1.1.7-6941-2 or above to plug the vulnerability.
Synology Security Bulletin SA-18:49 Ghostscript affects all versions of DSM and SRM if AirPrint is enabled. It’s rated as Important since it allows remote users to execute arbitrary commands. There’s currently no mitigation if you must use AirPrint.
Synology Security Bulletin SA-18:50 Drive describes a vulnerability in the Synology Drive package. It is resolved in Drive version 1.1.2-10562 and above.
Synology Security Bulletin SA-18:51 DSM affects all versions and variations of DSM. Upgrading to DSM 6.2.1-23824 and above will resolve the issue. SkyNAS and VS960HD remain vulnerable. Again, DSM 5.1 and DSM 6.1 must update to DSM 6.2 to get the patch.
##DSM & SRM Updates
Synology has updated their release notes to reflect DSM 6.2.1-23824, and the update is available on their FTP site. That said, it has not shown up in the automatic checks for any Synology NAS that I support. It was recently released, August 29th based on the release notes. I manually installed it on a DS218+ without any apparent problems. It’s a NAS I use for testing, for every other NAS, I’ll wait until it’s pushed to the NAS.
Based on the release notes there are a lot of fixes:
- Fixed an issue where users may not be able to delete snapshots when the volume is full.
- Fixed an issue where Windows may falsely detect an error on an exFAT format USB drive after it is used as the backup destination of Hyper Backup.
- Improved Snapshot Replication package stability.
- Fixed an issue where incorrect or incomplete update information may be displayed in the DSM Update tab.
- Fixed an issue where a single RAID with over 24 drives may fail to assemble a RAID 5/6/F1 or SHR 1/2 storage pool.
- Fixed an issue where boot failure might occur if the system was rebooted during the conversion process from RAID 5 to RAID 6.
- Enhanced the compatibility of certain drives on Synology NAS and Expansion Unit models.
- Fixed an issue where local users may fail to log in via SMB on specific Windows versions after adding their NAS to a Synology Active Directory domain.
- Improved Windows client’s clock synchronization with DSM after it is added to a Synology Active Directory domain. Upgrading Active Directory Server to version 4.4.5-0077 or above is required.
- Modified HDD hibernation mechanism to prevent HDDs from entering hibernation when a volume is degraded, crashed, or not created.
- Fixed multiple security vulnerabilities regarding Linux kernel (CVE-2018-1000199, CVE-2018-8897, CVE-2017-0861).
- Fixed a security vulnerability regarding OpenSSL (CVE-2018-0739).
- Fixed a security vulnerability regarding procps-ng (CVE-2018-1124).
- Fixed a security vulnerability regarding ISC DHCP (CVE-2017-3144).
- Fixed multiple security vulnerabilities (Synology-SA-18:51).
- Minor bug fixes.
##Product Releases & Updates