DSM 4.0-2264
Publish Time: 2014-08-27 00:00:00 UTC+8
Last Updated: UTC+8
- Status
- Resolved
Description
This update forf DSM 4.0-2264 addresses the following security vulnerabilities regarding OpenSSL and PHP 5.3:
- multiple vulnerabilities that allow remote attackers to use multiple weaknesses to perform denial of service attacks to cause application crash or CPU consumption (OpenSSL: CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3509, CVE-2014-3510, CVE-2014-3512, and CVE-2014-5139).
- a vulnerability that allows context-dependent attackers to obtain sensitive information from process stack memory (OpenSSL: CVE-2014-3508).
- a vulnerability that allows man-in-the-middle attackers to cause a downgrade to TLS 1.0 even though both server and client support higher TLS version (OpenSSL: CVE-2014-3511).
- a vulnerability that allows remote attackers to exploit a weakness to perform a man-in-the-middle attack in certain OpenSSL-to-OpenSSL communications and obtain sensitive information (OpenSSL: CVE-2014-0224).
- a vulnerability that allows remote attackers to execute arbitrary code or cause a denial of service via a long non-initial fragment (OpenSSL: CVE-2014-0195).
- multiple vulnerabilities that allow remote attackers to perform various kinds of denial of service attacks (OpenSSL: CVE-2014-0221, CVE-2014-0198, CVE-2010-5298,CVE-2014-3470).
- a vulnerability that allows remote attackers to obtain ECDSA nonces that could result a side-channel attack (OpenSSL: CVE-2014-0076).
- multiple vulnerabilities that allows remote attackers to use the exploits to cause denial of service attacks resulting in buffer over-read, application exit, infinite loop, or performance degradation (PHP 5.3: CVE-2013-6712, CVE-2014-0207, CVE-2014-0238, CVE-2014-0237 and CVE-2014-4049).
- a vulnerability that allows local users to overwrite arbitrary files via a symlink attack (PHP 5.3: CVE-2014-3981).
- a vulnerability that allows remote attackers to execute arbitrary code via a crafted string (PHP 5.3: CVE-2014-3515).
Resolution
To fix the security issues, please go to DSM > Control Panel > DSM Update page and install the latest updates to protect your Synology NAS from malicious attacks.