DSM 4.3-3827 Update 2

Publish Time: 2014-04-21 00:00:00 UTC+8

Last Updated: UTC+8

Status
Resolved

Description

DSM 4.3-3827 Update 2 addresses vulnerability below:

  • A critical security issue of OpenSSL known as Heartbleed which allows remote attackers to obtain sensitive information from process memory. (CVE-2014-0160)

Read First

The below resolution is not necessary if HTTPS, OpenVPN, and FTPS services were disabled on your DiskStation prior to installing DSM 4.3-3827 Update 2.

Resolution

To fix this security issue, please log in to DSM, go to Control Panel > DSM Update, click Update Settings and select Important Updates Only to see and install the update.

After updating DSM, we recommend renewing the SSL certificate since your SSL encryption keys might have been compromised. Go to Control Panel > DSM Settings > Certificate to check whether you have a third-party or self-signed certificate.

  • For self-signed SSL certificate renewal:
    1. To renew your certificate using DSM, please go to Control Panel > DSM Settings > Certificate, click Create Certificate > Create self-signed certificate.
    2. Follow the instructions to complete self-signed certificate process.
  • For third-party SSL certificate renewal:
    1. To renew your certificate via third-party certificate authority (CA), please go to Control Panel > DSM Settings > Certificate, click Create certificate > Renew certificate to create a certificate signing request (CSR) and a new private key. Download them to your computer.
    2. Use the CSR to acquire a new certificate from your CA.
    3. Go to Control Panel > DSM Settings > Certificate and click Import certificate to import the certificate from the CA (server.key, example.crt).

As a precaution, you can change your DSM passwords, even if there is no evidence that your data was accessed using this vulnerability.

A self-signed certificate refers to a certificate that was created and signed by the same entity whose identity it certifies (in this case, the Synology NAS). Self-signed certificates provide less proof of the identity of the server and are usually only used to secure channels between the server and a group of known users