Synology-SA-22:06 Netatalk
Publish Time: 2022-04-28 13:32:54 UTC+8
Last Updated: 2022-08-29 14:02:06 UTC+8
- Severity
- Critical
- Status
- Resolved
Abstract
Multiple vulnerabilities allow remote attackers to obtain sensitive information and possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM).
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| DSM 7.1 | Critical | Upgrade to 7.1-42661-1 or above. |
| DSM 7.0 | Critical | Upgrade to 7.0.1-42218-4 or above. |
| DSM 6.2 | Critical | Upgrade to 6.2.4-25556-6 or above. |
| SRM 1.3 | Critical | Upgrade to 1.3-9193-1 or above. |
| SRM 1.2 | Critical | Upgrade to 1.2.5-8227-5 or above. |
| VS Firmware 2.3 | Not affected | N/A |
Mitigation
Netatalk provides file access through AFP (Apple Filing Protocol) on DSM. This service has been disabled by default since DSM 7.0. We recommend using SMB protocol instead when connecting from macOS.
For Synology systems not yet upgraded to DSM 7.1-42661-1 or newer, administrators can disable "AFP service" to mitigate this specific vulnerability. In environments where AFP is still needed, setting up firewall rules to only allow trusted clients to connect over AFP (port 548) can be used as temporary mitigation.
Detail
Reserved
Reference
- Netatalk 3.1.13
- CVE-2022-0194
- CVE-2022-23121
- CVE-2022-23122
- CVE-2022-23123
- CVE-2022-23124
- CVE-2022-23125
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2022-04-28 | Initial public release. |
| 2 | 2022-05-01 | Updated Mitigation for Support. |
| 3 | 2022-05-14 | Update for SRM 1.2 is now available in Affected Products. |
| 4 | 2022-05-18 | Update for DSM 7.0 is now available in Affected Products. |
| 5 | 2022-05-24 | Added SRM 1.3 to Affected Products. |
| 6 | 2022-05-24 | Update for SRM 1.3 is now available in Affected Products. |
| 7 | 2022-05-24 | Update for DSM 6.2 is now available in Affected Products. |