Synology Product Security Advisory

Synology is committed to taking immediate actions to fix vulnerability at the point of identifying malicious attacks. As the proliferation of cybercrime and increasingly sophisticated malware evolves, Synology continues to devote resources to mitigate threats and is dedicated to providing the most reliable solutions for users.

Report Vulnerabilities

To report security issues that affect Synology products, please contact: security@synology.com

Please note that this e-mail address is used for monitoring potential product security issues. Generally speaking, we won’t reply incoming e-mail messages unless further information is required. For technical support for Synology products, please visit our Support & Service section instead.

PGP key information

When you are reporting a vulnerability via e-mail, you can use Synology's Product Security PGP key to encrypt sensitive information.

Synology Product Security Updates

To protect users, Synology does not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities released. Once fixes are available, vulnerabilities shall be announced on Synology's official website.

Release Date Security Updates
2017-04-18 Important Information Regarding NTP Vulnerability (CVE-2016-9042)
2017-04-17 Important Information Regarding Linux kernel Vulnerability (CVE-2016-10229)
2017-03-24 Important Information Regarding Photo Station Vulnerability
2017-03-24 Important Information Regarding Samba Vulnerability (CVE-2017-2619)
2017-03-22 Important Information Regarding Moodle Vulnerability (CVE-2017-2641)
2017-02-24 Important Information about the Auto Block function in DSM
2017-02-17 Multiple Vulnerabilities in tcpdump
2017-01-26 Precaution for a Potential SMB Vulnerability
2017-01-23 Important Information Regarding PHP 7.0 Vulnerability (CVE-2017-5340)
2017-01-18 Important Information Regarding PHPMailer Vulnerability (CVE-2017-5223)
2016-12-28 Important Information Regarding PHPMailer Vulnerability (CVE-2016-10033)
2016-12-09 Important Information Regarding ImageMagick Vulnerability (CVE-2016-8707)
2016-12-09 Important Information Regarding Roundcube Vulnerability (CVE-2016-9920)
2016-12-07 Important Information Regarding Linux Kernel Vulnerability (CVE-2016-8655)
2016-12-02 Important Information Regarding PHP Vulnerability (CVE-2016-7124)
2016-11-25 Important Information Regarding NTP Vulnerability (CVE-2016-9310)
2016-11-04 Important Information Regarding MariaDB Vulnerability (CVE-2016-6664)
2016-11-02 Important Information Regarding Joomla Vulnerability (CVE-2016-8869 and CVE-2016-8870)
2016-11-02

Important Information Regarding Linux Kernel Vulnerability (CVE-2016-5195, a.k.a. Dirty CoW)

2016-11-02

Important Information Regarding Sweet32 Vulnerability (CVE-2016-2183)

2016-10-28 Important Information Regarding OpenSSL Vulnerability (CVE-2016-7052, CVE-2016-6304)
2016-09-23 Important Information Regarding MariaDB Vulnerability (CVE-2016-6662)
2016-08-03 Photo Station 6.5.3-3226
2016-07-18 Important Information about HTTPoxy Vulnerability (CVE-2016-5387)
2016-07-18 Important Information about "libupnp: write files via POST" (CVE-2016-6255)
2016-06-08 Important Information about NTP Vulnerabilities (CVE-2016-4957, CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, and CVE-2016-4956)
2016-05-04 Important Information about OpenSSL Vulnerabilities (CVE-2016-2107 and CVE-2016-2108)
2016-04-15 Important Information about Samba Badlock Vulnerability
2016-02-19 DSM 5.2-5644 Update 5
2016-01-29 Photo Station 6.3-2963
2016-01-25 Audio Station 5.4-2860
2016-01-25 Video Station 1.5-0775
2015-12-14 Note Station 1.1-0214
2015-12-14 Photo Station 6.3-2962
2015-12-11 Video Station 1.5-0772
2015-12-04 Audio Station 5.4-2857
2015-11-12 Magento 1.9.2.2-0033
2015-10-06 Audio Station 5.4-2855
2015-10-06 Photo Station 6.3-2958
2015-09-11 Download Station 3.5-2967
2015-09-11 Note Station 1.1-211
2015-09-11 Video Station 1.5-0763
2015-09-07 DSM 5.2-5592 Update 4

Description

DSM 5.2 5592 Update 4 includes the following security fixes to address related security vulnerabilities:

  1. Upgraded Apache HTTP Server to 2.2.31 to address one security vulnerability (CVE-2015-3183).
  2. Upgraded PHP to 5.5.28 to address two security vulnerabilities (CVE-2015-5589 and CVE-2015-5590).
  3. Fixed two security vulnerabilities to prevent cross-site scripting (XSS) attacks.
  4. Fixed a security vulnerability of PCRE library (ASA-201508-11).

Resolution

To fix the security issues, please go to DSM > Control Panel > Update & Restore > DSM Update and install DSM 5.2-5592 Update 4 or above to protect your Synology NAS from malicious attacks.

2015-08-28 Important Information: /usr/syno/bin/zip was wrongly quarantined by Antivirus Essential
2015-08-20 WordPress 4.2.4-039
2015-07-16 Asterisk 13.1.0-0063
2015-07-16 Magento 1.9.2.0-0029
2015-07-13 Important Information about OpenSSL Alternative Chains Certificate Forgery Vulnerability: CVE-2015-1793
2015-07-06 Download Station 3.5-2963
2015-07-01 DSM 5.2-5592
2015-07-01 Photo Station 6.3-2953
2015-06-26 Download Station 3.5-2962
2015-06-26 Drupal 7.38-0037
2015-06-26 MariaDB 5.5.43-0033
2015-06-26 Moodle 2.91-0036
2015-06-26 PACS 2.18.0-0010
2015-06-26 Video Station 1.5-0757
2015-06-09 DSM 5.2-5565 Update 2
2015-05-29 Photo Station 3.5-2945
2015-05-21 DSM 5.2-5565 Update 1
2015-02-26 Important Information about Vulnerability CVE-2015-0240
2015-01-30 Important Information about GLIBC Vulnerability “GHOST” (CVE-2015-0235)
2014-12-16 DSM 5.1-5021
2014-12-12 VPN Server 1.2-2427
2014-10-28 Important Information about POODLE Vulnerability (CVE-2014-3566)
2014-10-22 DSM 5.0-4528
2014-10-22 DSM 5.0-4627
2014-09-26 Important Information about Bash Vulnerability "ShellShock" (CVE-2014-6271 and CVE-2014-7169)
2014-09-09 DSM 3.1-1639
2014-09-09 DSM 4.0-2265
2014-09-09 DSM 4.2-3252
2014-09-09 DSM 4.3-3827 Update 7
2014-09-09 DSM 5.0-4493 Update 5
2014-08-27 DSM 4.0-2264
2014-08-26 DSM 4.2-3251
2014-08-26 DSM 4.3-3827 Update 6
2014-08-26 DSM 5.0-4493 Update 4
2014-08-07 Important Information about Ransomware SynoLocker Threat
2014-07-24 DSM 5.0-4493 Update 3
2014-07-16 DSM 4.2-3250
2014-06-25 DSM 4.3-3827 Update 4
2014-06-11 DSM 5.0-4493 Update 1
2014-06-04 DSM 5.0-4493
2014-04-24 DSM 5.0-4482
2014-04-21 DSM 4.3-3827 Update 2
2014-04-18 VPN Server 1.2-2414 & 1.2-2318
2014-04-15 DSM 4.2-3248
2014-04-10 DSM 5.0-4458 Update 2
2014-03-27 DSM 5.0-4458 Update 1
2014-03-24 WordPress 3.81-018
2014-03-20 DSM 4.0-2263
2014-03-20 DSM 4.2-3247
2014-03-20 Photo Station-2632
2014-03-18 DSM 4.3-3827 Update 1
2014-03-04 RADIUS Server 1.0-0028
2014-03-03 VPN Server 1.2-2314
2014-02-14 DSM 4.3-3827
2014-01-09 DSM 4.3-3810 Update 4
2013-11-14 DSM 4.0-2259
2013-11-14 DSM 4.2-3243