Synology-SA-17:32 Node.js

Abstract

Multiple security vulnerabilities which have been found in Node.js may allow remote attackers to cause a denial of service attack or may result in leaking sensitive information from the vulnerable server.

Severity

• Constant Hashtable Seeds
  • Important
  • CVSSv3 Base Score: N/A
• http.get with numeric authorization options creates uninitialized buffers
  • Low
  • CVSSv3 Base Score: N/A
• CVE-2017-1000381
  • Moderate
  • CVSSv3 Base Score: 6.5

Affected

• Products
  • Node.js 4.4.8-0163 and below
  • Chat 1.1.1-0902 and below
  • Office 2.2.2-1508 and below
  • Calendar 2.0.0-0241 and below
  • MailPlus 1.3.0-0676
• Models
  • All Synology NAS models

Description

• Constant Hashtable Seeds (CVE pending) Node.js was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup. Thanks to Jann Horn of Google Project Zero for reporting this vulnerability.
• http.get with numeric authorization options creates uninitialized buffers Application code that allows the auth field of the options object used with http.get() to be set to a number can result in an uninitialized buffer being created/used as the authentication string.
• CVE-2017-1000381 - c-ares NAPTR parser out of bounds access The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.

Mitigation

None

Update Availability

To fix the security issue, please go to DSM > Package Center and update Node.js to 4.8.4-0164 or above.

References

• https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-1000381