DSM 4.2-3251

Publish Time: 2014-08-26 00:00:00 UTC+8

Last Updated: UTC+8

Status
Resolved

Description

This update for DSM 4.2-3251 addresses the following security vulnerabilities regarding OpenSSL, Kerberos 5, and PHP 5.3:

  • multiple vulnerabilities that allow remote attackers to use multiple weaknesses to perform denial of service attacks to cause application crash or CPU consumption (OpenSSL: CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3509, CVE-2014-3510, CVE-2014-3512, and CVE-2014-5139).
  • a vulnerability that allows context-dependent attackers to obtain sensitive information from process stack memory (OpenSSL: CVE-2014-3508).
  • a vulnerability that allows man-in-the-middle attackers to cause a downgrade to TLS 1.0 even though both server and client support higher TLS version (OpenSSL: CVE-2014-3511).
  • a vulnerability that allows remote authenticated administrator to exploit creating a request via KRB5_KDB_DISALLOW_ALL_TIX that lacks a password to cause a denial of service (Kerberos 5: CVE-2012-1013).
  • multiple vulnerabilities that allow remote attackers to use the exploits to cause denial of service attacks resulting in buffer over-read, NULL pointer dereference, or application crash (Kerberos 5: CVE-2014-4341, CVE-2014-4344 and CVE-2014-4342).
  • a vulnerability that allows remote attackers to use multiple exploits to cause denial of service attacks resulting in buffer over-read, application exit, infinite loop, or performance degradation (PHP 5.3: CVE-2013-6712, CVE-2014-0207, CVE-2014-0238, CVE-2014-0237 and CVE-2014-4049).
  • a vulnerability that allows local users to overwrite arbitrary files via a symlink attack (PHP 5.3: CVE-2014-3981).
  • a vulnerability that allows remote attackers to execute arbitrary code via a crafted string (PHP 5.3: CVE-2014-3515).

Resolution

To fix the security issues, please go to DSM > Control Panel > DSM Update page and install the latest updates to protect your Synology NAS from malicious attacks.