PSA: Recent Synology Security Alerts
 
Below is a list of recent security alerts issued by Synology, presented in decreasing importance. Some of these are pretty serious, so if you have Synology diskstations you should not hesitate to update the appropriate software packages.

  

OpenJDK

Version: All models

  • Java7      7.0.131-0012 and earlier
  • Java8 before      8.0.151-0014

Issue: Multiple security vulnerabilities have been found in OpenJDK, and may allow remote unauthenticated users to execute arbitrary codes and have unauthorized access to data through a vulnerable version of Java7 or Java8.  Severity: Critical

Fix: go to DSM > Package Center and update Java8 to 8.0.151-0014 or above

CardDAV Server

Version: CardDAV Server before 6.0.7-0085

Issue: CVE-2017-15887 allows remote users to obtain system user accounts with brute-force attack from a vulnerable version of CardDAV Server. Severity: Critical

Fix: go to DSM > Package Center and update CardDAV Server to 6.0.7-0085 or above

DSM

Version: 5.2, 6.0. All models

Issue: A vulnerability allows remote authenticated users to write arbitrary files via a vulnerable version of Synology DiskStation Manager (DSM). Severity: Important

Fix: Update DSM 6.0 to 6.0.3-8754-3 or above and DSM 5.2 to 5.2-5967-6 or above.

DSM

Version: 5.2. All models

Issue: Command injection vulnerability in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via unspecified vector.  Severity: Important

Fix: update DSM 5.2 to 5.2-5967-5 or above

[Note: fixing the earlier DSM issue will also resolve this issue]

SRM (Synology Router Manager)

Version: SRM 1.1. All models

Issue: A vulnerability allows remote authenticated users to write arbitrary files via a vulnerable version of Synology Router Manager (SRM). Severity: Important

Fix: Update SRM 1.1 to 1.1.5-6542-4 or above

File Station

Version: File Station before 1.1.1-0099

Issue: A vulnerability allows remote authenticated users to write arbitrary files via a vulnerable version of File Station. Severity: Important

Fix: Go to DSM > Package Center and update File Station to 1.1.1-0099 or above.

Calendar

Version: Calendar before 2.0.1-0242. All models

Issue: A vulnerability allows remote authenticated users to modify calendar events in an un-authorized manner via a vulnerable version of Calendar.  Severity: Important

Fix: Go to DSM > Package Center and update Calendar to 2.0.1-0242 or above

DSM, SRM, Download Station

Version: All models

  • DSM      6.1
  • DSM      6.0
  • DSM      5.2
  • SRM      1.1
  • Download Station before 3.8.7-3490

Issue: Multiple security vulnerabilities have been found in Wget, and may allow man-in-the-middle attackers to execute arbitrary codes, or cause denial-of-service attack from a vulnerable version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), and Download Station

Severity: Important

Fix: Go to DSM > Package Center and update Download Station to 3.8.7-3490 or above

Photo Station

Version: Photo Station before 6.8.1-3458

Issue: Multiple security vulnerabilities have been found in Photo Station, and may allow remote attackers to read arbitrary files, or obtain sensitive system information from a vulnerable version of Synology Photo Station. Severity: Moderate

Fix: go to DSM > Package Center and update Photo Station to 6.8.1-3458 or above