Important Information Regarding OpenSSL Vulnerability (CVE-2016-7052, CVE-2016-6304)

2016-10-28 12:00:00

Severity
Moderate
Status
Resolved

Description

Two vulnerabilities regarding OpenSSL were revealed (CVE-2016-7052 and CVE-2016-6304).

The vulnerability CVE-2016-7052 resulted from a CRL sanity check which was added to OpenSSL 1.1.0 but was omitted from OpenSSL 1.0.2i, while the other vulnerability CVE-2016-6304 allowed malicious clients to send an excessively large OCSP Status Request extension, leading to a Denial Of Service attack through memory exhaustion.

After the initial investigation, Synology has concluded that DSM itself is not affected by these vulnerabilities.

However, for precautionary purposes, a newer version of OpenSSL has been released to address this issue.

Severity

Moderate

Update Availability

To fix the security issues, please go to DSM > Control Panel > Update & Restore > DSM Update and install  DSM 6.0.2-8451 Update 2 or above to protect your Synology NAS from malicious attack.

References

https://www.openssl.org/news/secadv/20160922.txt
https://github.com/openssl/openssl/commit/e408c09bbf7c3057bda4b8d20bec1b3a7771c15b