DSM 4.2-3251
Publish Time: 2014-08-26 00:00:00 UTC+8
Last Updated: UTC+8
- Status
- Resolved
Description
This update for DSM 4.2-3251 addresses the following security vulnerabilities regarding OpenSSL, Kerberos 5, and PHP 5.3:
- multiple vulnerabilities that allow remote attackers to use multiple weaknesses to perform denial of service attacks to cause application crash or CPU consumption (OpenSSL: CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3509, CVE-2014-3510, CVE-2014-3512, and CVE-2014-5139).
- a vulnerability that allows context-dependent attackers to obtain sensitive information from process stack memory (OpenSSL: CVE-2014-3508).
- a vulnerability that allows man-in-the-middle attackers to cause a downgrade to TLS 1.0 even though both server and client support higher TLS version (OpenSSL: CVE-2014-3511).
- a vulnerability that allows remote authenticated administrator to exploit creating a request via KRB5_KDB_DISALLOW_ALL_TIX that lacks a password to cause a denial of service (Kerberos 5: CVE-2012-1013).
- multiple vulnerabilities that allow remote attackers to use the exploits to cause denial of service attacks resulting in buffer over-read, NULL pointer dereference, or application crash (Kerberos 5: CVE-2014-4341, CVE-2014-4344 and CVE-2014-4342).
- a vulnerability that allows remote attackers to use multiple exploits to cause denial of service attacks resulting in buffer over-read, application exit, infinite loop, or performance degradation (PHP 5.3: CVE-2013-6712, CVE-2014-0207, CVE-2014-0238, CVE-2014-0237 and CVE-2014-4049).
- a vulnerability that allows local users to overwrite arbitrary files via a symlink attack (PHP 5.3: CVE-2014-3981).
- a vulnerability that allows remote attackers to execute arbitrary code via a crafted string (PHP 5.3: CVE-2014-3515).
Resolution
To fix the security issues, please go to DSM > Control Panel > DSM Update page and install the latest updates to protect your Synology NAS from malicious attacks.