Synology Product Security Advisory

Synology is committed to taking immediate actions to fix vulnerability at the point of identifying malicious attacks. As the proliferation of cybercrime and increasingly sophisticated malware evolves, Synology continues to devote resources to mitigate threats and is dedicated to providing the most reliable solutions for users.

Report Vulnerabilities

To report security issues that affect Synology products, please contact: security@synology.com

Please note that this e-mail address is used for monitoring potential product security issues. Generally speaking, we won’t reply incoming e-mail messages unless further information is required. For technical support for Synology products, please visit our Support & Service section instead.

PGP key information

When you are reporting a vulnerability via e-mail, you can use Synology's Product Security PGP key to encrypt sensitive information.

Synology Product Security Updates

To protect users, Synology does not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities released. Once fixes are available, vulnerabilities shall be announced on Synology's official website.

Release Date Security Updates
2017-04-18 Important Information Regarding NTP Vulnerability (CVE-2016-9042)
2017-04-17 Important Information Regarding Linux kernel Vulnerability (CVE-2016-10229)
2017-03-24 Important Information Regarding Photo Station Vulnerability
2017-03-24 Important Information Regarding Samba Vulnerability (CVE-2017-2619)
2017-03-22 Important Information Regarding Moodle Vulnerability (CVE-2017-2641)
2017-02-24 Important Information about the Auto Block function in DSM
2017-02-17 Multiple Vulnerabilities in tcpdump
2017-01-26 Precaution for a Potential SMB Vulnerability
2017-01-23 Important Information Regarding PHP 7.0 Vulnerability (CVE-2017-5340)
2017-01-18 Important Information Regarding PHPMailer Vulnerability (CVE-2017-5223)
2016-12-28 Important Information Regarding PHPMailer Vulnerability (CVE-2016-10033)
2016-12-09 Important Information Regarding ImageMagick Vulnerability (CVE-2016-8707)
2016-12-09 Important Information Regarding Roundcube Vulnerability (CVE-2016-9920)
2016-12-07 Important Information Regarding Linux Kernel Vulnerability (CVE-2016-8655)
2016-12-02 Important Information Regarding PHP Vulnerability (CVE-2016-7124)
2016-11-25 Important Information Regarding NTP Vulnerability (CVE-2016-9310)
2016-11-04 Important Information Regarding MariaDB Vulnerability (CVE-2016-6664)
2016-11-02 Important Information Regarding Joomla Vulnerability (CVE-2016-8869 and CVE-2016-8870)
2016-11-02

Important Information Regarding Linux Kernel Vulnerability (CVE-2016-5195, a.k.a. Dirty CoW)

2016-11-02

Important Information Regarding Sweet32 Vulnerability (CVE-2016-2183)

2016-10-28 Important Information Regarding OpenSSL Vulnerability (CVE-2016-7052, CVE-2016-6304)
2016-09-23 Important Information Regarding MariaDB Vulnerability (CVE-2016-6662)
2016-08-03 Photo Station 6.5.3-3226
2016-07-18 Important Information about HTTPoxy Vulnerability (CVE-2016-5387)
2016-07-18 Important Information about "libupnp: write files via POST" (CVE-2016-6255)
2016-06-08 Important Information about NTP Vulnerabilities (CVE-2016-4957, CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, and CVE-2016-4956)
2016-05-04 Important Information about OpenSSL Vulnerabilities (CVE-2016-2107 and CVE-2016-2108)
2016-04-15 Important Information about Samba Badlock Vulnerability

Description

A recent announcement on badlock.org states, "On April 12th, 2016, a crucial security bug in Windows and Samba will be disclosed. We call it: Badlock. Patches will be released on April 12th.

Samba is an open-source interoperability software suite that provides file and print services to SMB/CIFS clients. In addition to Windows, Samba also runs on Synology DSM. According to the announcement, not much is known about the Badlock flaw, other than that it is a “crucial security bug” in Windows and Samba.

Details

Along with the most concerned Samba Badlock vulnerability (CVE-2016-2118), multiple related CVEs were revealed on badlock.org with different CVSS scores in terms of degrees of severity. After the initial investigation, we would like to provide the following updates for each vulnerability.

  • CVE-2016-2118: This vulnerability, also known as Badlock, has been addressed by backporting the patch from open source Samba to Samba that runs on Synology DSM. The update is available for DSM 5.2 and DSM 6.0.
  • CVE-2015-5370, CVE-2016-2110, CVE-2016-2112, CVE-2016-2114, CVE-2016-2115: Considering the lower level of severity and the complexity of the issue, these vulnerabilities will be fixed in the upcoming updates for DSM 5.2 and DSM 6.0.
  • CVE-2016-2111, CVE-2016-2113: The patch is not necessary for Synology DSM as the functions of Domain Server are not supported.

Update availability

Patches for addressing the Badlock vulnerability are available for DSM 5.2 and DSM 6.0. To fix this issue, please go to DSM > Control Panel > Update & Restore > DSM Update, and install DSM 5.2-5644 Update 8 if your are using DSM 5.2, or DSM 6.0-7321 Update 1 if you are using DSM 6.0. The patches to address the relevant vulnerabilities will be available in the upcoming updates.

Network Security Advice

SMB is a widely used file protocol in most business environments and also in the home. Restricting unnecessary access to this file service is an important step in increasing network security. To better secure your network, only necessary file services should be enabled for access while unnecessary ones should be denied. If you know the IP range or subnet that is required to access SMB, you may refer to the following instructions to set up firewall rules for the IP range or subnet:

To begin, please make sure that your firewall is enabled. In Control Panel > Security > Firewall, please make sure that Enable firewall has been checked. Here, we can create a new firewall profile or edit an existing profile. Please follow the instructions below on how to allow access from a specific range of IP’s while denying unnecessary access from the rest.

First, create a rule to allow an IP range or subnet access to SMB file service.

  1. Under Firewall Profile, please select Edit Rules.
  2. On the top left corner, click Create to create a new firewall rule.
  3. Under Ports, please find Select from a list of build-in applications and click Select to choose an application.
  4. Find and check Windows file server and click OK.
  5. Under Source IP, please select Specific IP and click Select on the right. You can also select All if you would like to select all IP’s.
  6. Here you may specify an IP range or subnet that you would like to allow access to SMB file service. In the example below, SMB access is only allowed for IP addresses between 192.168.1.90 and 192.168.1.99. Click OK once you have specified the IP address or subnet.
  7. Under Action, please select Allow to allow the specified IP addresses or subnet access to SMB.
  8. Once you’ve selected an action, you can click OK.
  9. You can now see that this setup will allow SMB access only for IP addresses from 192.168.1.90 to 192.168.1.99.

Now that the allowed IP’s have been set, you must now deny access to all other IP’s. Please follow the steps below to create a rule to deny unnecessary access to SMB file service.

  1. Please repeat steps 1-4 above.
  2. Under Source IP, select All to include all IP addresses.
  3. Under Action, please select Deny to block all IP addresses or subnet access to SMB. Click OK when done.
  4. After all the steps have been completed, you can see that all IP’s have been denied access to SMB file service, except for IP’s ranging from 192.168.1.90 to 192.168.1.99. Please note that the rule of allowed IP’s must be specified before blocking all IP's.
2016-02-19 DSM 5.2-5644 Update 5
2016-01-29 Photo Station 6.3-2963
2016-01-25 Audio Station 5.4-2860
2016-01-25 Video Station 1.5-0775
2015-12-14 Note Station 1.1-0214
2015-12-14 Photo Station 6.3-2962
2015-12-11 Video Station 1.5-0772
2015-12-04 Audio Station 5.4-2857
2015-11-12 Magento 1.9.2.2-0033
2015-10-06 Audio Station 5.4-2855
2015-10-06 Photo Station 6.3-2958
2015-09-11 Download Station 3.5-2967
2015-09-11 Note Station 1.1-211
2015-09-11 Video Station 1.5-0763
2015-09-07 DSM 5.2-5592 Update 4
2015-08-28 Important Information: /usr/syno/bin/zip was wrongly quarantined by Antivirus Essential
2015-08-20 WordPress 4.2.4-039
2015-07-16 Asterisk 13.1.0-0063
2015-07-16 Magento 1.9.2.0-0029
2015-07-13 Important Information about OpenSSL Alternative Chains Certificate Forgery Vulnerability: CVE-2015-1793
2015-07-06 Download Station 3.5-2963
2015-07-01 DSM 5.2-5592
2015-07-01 Photo Station 6.3-2953
2015-06-26 Download Station 3.5-2962
2015-06-26 Drupal 7.38-0037
2015-06-26 MariaDB 5.5.43-0033
2015-06-26 Moodle 2.91-0036
2015-06-26 PACS 2.18.0-0010
2015-06-26 Video Station 1.5-0757
2015-06-09 DSM 5.2-5565 Update 2
2015-05-29 Photo Station 3.5-2945
2015-05-21 DSM 5.2-5565 Update 1
2015-02-26 Important Information about Vulnerability CVE-2015-0240
2015-01-30 Important Information about GLIBC Vulnerability “GHOST” (CVE-2015-0235)
2014-12-16 DSM 5.1-5021
2014-12-12 VPN Server 1.2-2427
2014-10-28 Important Information about POODLE Vulnerability (CVE-2014-3566)
2014-10-22 DSM 5.0-4528
2014-10-22 DSM 5.0-4627
2014-09-26 Important Information about Bash Vulnerability "ShellShock" (CVE-2014-6271 and CVE-2014-7169)
2014-09-09 DSM 3.1-1639
2014-09-09 DSM 4.0-2265
2014-09-09 DSM 4.2-3252
2014-09-09 DSM 4.3-3827 Update 7
2014-09-09 DSM 5.0-4493 Update 5
2014-08-27 DSM 4.0-2264
2014-08-26 DSM 4.2-3251
2014-08-26 DSM 4.3-3827 Update 6
2014-08-26 DSM 5.0-4493 Update 4
2014-08-07 Important Information about Ransomware SynoLocker Threat
2014-07-24 DSM 5.0-4493 Update 3
2014-07-16 DSM 4.2-3250
2014-06-25 DSM 4.3-3827 Update 4
2014-06-11 DSM 5.0-4493 Update 1
2014-06-04 DSM 5.0-4493
2014-04-24 DSM 5.0-4482
2014-04-21 DSM 4.3-3827 Update 2
2014-04-18 VPN Server 1.2-2414 & 1.2-2318
2014-04-15 DSM 4.2-3248
2014-04-10 DSM 5.0-4458 Update 2
2014-03-27 DSM 5.0-4458 Update 1
2014-03-24 WordPress 3.81-018
2014-03-20 DSM 4.0-2263
2014-03-20 DSM 4.2-3247
2014-03-20 Photo Station-2632
2014-03-18 DSM 4.3-3827 Update 1
2014-03-04 RADIUS Server 1.0-0028
2014-03-03 VPN Server 1.2-2314
2014-02-14 DSM 4.3-3827
2014-01-09 DSM 4.3-3810 Update 4
2013-11-14 DSM 4.0-2259
2013-11-14 DSM 4.2-3243