Synology-SA-19:16 Dragonblood

Publish Time: 2019-04-11 14:12:42 UTC+8

Last Updated: 2019-04-15 19:03:08 UTC+8

Severity
Moderate
Status
Ongoing

Abstract

Dragonblood attacks, CVE-2919-9494, and CVE-2019-9496 allow remote attackers to obtain sensitive information or conduct denial-of-service attacks via a susceptible version of Synology Router Manager (SRM).

CVE-2019-9495, CVE-2019-9497, CVE-2019-9498, and CVE-2019-9499 allow remote attackers to obtain sensitive information via a susceptible version of RADIUS Server.

Affected Products

Product Severity Fixed Release Availability
SRM 1.2[1] Moderate Ongoing
RADIUS Server 3.0 Low Ongoing
RADIUS Server 2.2 Not affected N/A
DSM 6.2 Not affected N/A
DSM 6.1 Not affected N/A
DSM 5.2 Not affected N/A
SkyNAS Not affected N/A
VS960HD Not affected N/A

[1] RT2600ac, MR2200ac

Mitigation

For SRM 1.2.1 or above, please download the patch below:
RT2600ac (sha256sum: 59aaacf519d605e9aa4a6b1215102674b60d2adfaa3d079bd8b16937c30a92c1)
MR2200ac (sha256sum: 43ae9853d619797381a28c512f29b4d0e8e4d05feb5557448f140e8a62c22349)
and follow this help article to perform manual update.
For SRM 1.2.0, please upgrade to SRM 1.2.1 or above first, and perform manual update.

*Note: The patch is used for mitigating the issue and may modify some system related files. When you install the patch, please ignore the warning message from Synology Security Advisory.

For RADIUS Server, please contact Synology technical support via https://account.synology.com/support.

Detail

Reserved

Reference

Revision

Revision Date Description
1 2019-04-11 Initial public release.
2 2019-04-11 Updated Mitigation for SRM.
3 2019-04-15 Updated Mitigation for SRM.