安全性扫描结果

Synology 重视您的系统安全性。我们致力于提供用户可信赖的操作系统及服务。为以更积极主动的方式确保安全性,我们采用了可靠的安全性扫描解决方案 QualysGuard,于每次 DSM 发布重大更新时,对系统进行完整扫描并采取相关修复措施。

扫描环境

  • 扫描软件: Qualysguard Vulnerability Management (VM)
  • DSM 版本: DSM 6.1 build 15032
  • 扫描日期: 2017/1/19
  • 准备作业: 本次扫描是以通过 Synology 安全咨询中心之企业模式验证的 DSM 为基础。
  • Scanner Version: 9.0.29-1
  • Vulnerability Signatures: 2.3.523-2
  • 已启动之套件清单: 显示
    • Antivirus Essential
    • AudioStation
    • Backup & Restore
    • CardDAVServer
    • Cloud Station Server
    • CloudStationClient
    • CloudSync
    • DirectoryServer
    • Discourse
    • DNSServer
    • Docker
    • Document Viewer
    • DokuWiki
    • DownloadStation
    • Drupal
    • GitLab
    • GlacierBackup
    • GLPI
    • HASP
    • HiDriveBackup
    • iTunesServer
    • Java
    • joomla
    • LimeSurvey
    • Load Balancer
    • Logitech Media Server
    • LXQt
    • Magento
    • MailServer
    • MailStation
    • MantisBT
    • MariaDB
    • MediaServer
    • MediaWiki
    • Moodle
    • Node.js
    • NoteStation
    • Odoo8
    • OpenERP
    • OrangeHRM
    • osCommerce
    • osTicket
    • PACS
    • PDF Viewer
    • PEAR
    • PhotoStation
    • phpBB
    • phpMyAdmin
    • Piwik
    • Podcast Generator
    • PrestaShop
    • Proxy Server
    • Python3
    • PythonModule
    • RadiusServer
    • Redmine
    • Ruby
    • Spreadsheet
    • SpreeCommerce
    • SSO Server
    • SugarCRM
    • Surveillance
    • TimeBackup
    • VideoStation
    • VPNCenter
    • vtigerCRM
    • web station
    • Webalizer
    • WordPress

安全性弱点摘要

Synology 在下面列出了扫描结果摘要。

严重性层级 已确认 潜在
5 0 3
4 0 2
3 9 6
2 3 2
1 2 0
总计 14 13

According to Qualy’s Severity Level Knowledge Base, vulnerabilities rated level 4 and level 5 are considered critical and could lead to unauthorized access to the system. All major DSM releases since DSM 5.2-5592 have been tested to ensure there are no vulnerabilities of these two levels. Level 1, level 2, and level 3 are considered lower in severity, Synology’s comments aside for risk management.

In addition, items listed in Potential Vulnerabilities were not fully identified as vulnerabilities and could be detected because of certain conditions necessary for vulnerability detection. Thus the severity of these items is considered relatively low.

安全性弱点

严重性层级 主题 端口 / 服务 批注
3 NFS Exported Filesystems List Vulnerability NFS You will always see this warning when NFS service is enabled. As long as the NFS rules are properly set to exclusively allow the connection of specific IP addresses, your Synology NAS should be safe.
3 DNS Zone Transfer port 53/tcp
DNS server
Adding rules reminder to security advisor could reduce issues resulting from configuration.
3 SSL/TLS Server supports TLSv1.0 port 8443/tcp over SSL
CardDAV
With regards to the compatibility with clients of older version that does not support SSl/TLS connection.
3 port 5006/tcp over SSL
WebDAV
3 port 993/tcp over SSL
Mail Server
3 port 995/tcp over SSL
Mail Server
3 port 21/tcp over SSL
FTP
3 port 3269/tcp over SSL
3 port 636/tcp over SSL
LDAP
2 Hidden RPC Services NFS You will always see this warning when NFS service is enabled. As long as the NFS rules are properly set to exclusively allow the connection of specific IP addresses, your Synology NAS should be safe.
2 NFS RPC Services Listening on Non-Privileged Ports NFS Mac users can enable this option for the compatibility with NFS service. This option is disabled by default.
2 JBoss Enterprise Application Platform Status Servlet Request Remote Information Disclosure port 9080/tcp
PACS
This can be avoided by correct configuration of firewall settings. Please make sure only trusted devices can access your Synology NAS.
1 Remote Management Service Accepting Unencrypted Credentials Detected Service name: TFTP on UDP port 69. Service name: FTP on TCP port 21.
FTP / TFTP
This issue is still in research stage by Synology.
1 JBoss HTTP Header Information Disclosure Vulnerability port 9080/tcp This can be avoided by correct configuration of firewall settings. Please make sure only trusted devices can access your Synology NAS.

潜在安全性弱点

严重性层级 主题 端口 / 服务 批注
5 Red Hat JBoss EAP/Web Server Java UnSerialize Common-Collections Remote Code Execution Vulnerability PACS
5 Statd Format Bug Vulnerability NFS Synology has confirmed the version of implemented NFS module is 1.2.8, much later than the version required to address the issue.
5 NFS-Utils Xlog Remote Buffer Overrun Vulnerability NFS
4 Red Hat JBoss Enterprise Application Platform Multiple Security Vulnerabilities port 9080/tcp
PACS
This can be avoided by correct configuration of firewall settings. Please make sure only trusted devices can access your Synology NAS.
4 OpenRADIUS Divide By Zero Denial of Service Vulnerability port 1812/udp
RADIUS server
Synology uses FreeRADIUS, not OpenRADIUS.
3 OpenSSH Xauth Command Injection Vulnerability OpenSSH DSM supports X11 forwarding but GUI of X11. Therefore the system will not be affected by this vulnerability. Synology is still in contact with Qualys to clarify this issue.
3 SMB Signing Disabled or SMB Signing Not Required Samba This issue is still in research stage by Synology.
3 Service Stopped Responding port 3262/tcp
iSCSI
3 Red Hat JBoss Enterprise Application Platform Multiple Security Vulnerabilities (RHSA-2014:0170-1) port 9080/tcp
PACS
This can be avoided by correct configuration of firewall settings. Please make sure only trusted devices can access your Synology NAS.
3 Multiple Vendor Radius Short Vendor-Length Field Denial of Service Vulnerability port 1812/udp
RADIUS server
Synology uses FreeRADIUS, not OpenRADIUS.
3 IETF RADIUS Dictionary Attack Vulnerability port 1812/udp
RADIUS server
This issue is still in research stage by Synology.
2 nlockmgr RPC Service Multiple Vulnerabilities NFS Synology has confirmed the version of implemented NFS module is 1.2.1, much later than the version required to address the issue.
2 Database Instance Detected port 3306/tcp
MariaDB
This can be avoided by correct configuration of firewall settings. Please make sure only trusted devices can access your Synology NAS.

扫描环境

  • 扫描软件: Qualysguard Vulnerability Management (VM)
  • DSM 版本: DSM 6.0 build 7319
  • 扫描日期: 2016/3/24
  • 准备作业: 本次扫描是以通过 Synology 安全咨询中心之企业模式验证的 DSM 为基础。
  • Scanner Version: 8.0.15-1
  • Vulnerability Signatures: 2.3.261-3
  • 已启动之套件清单: 显示
    • Antivirus Essential
    • AudioStation
    • Backup & Restore
    • CardDAVServer
    • Cloud Station Server
    • CloudStationClient
    • CloudSync
    • DirectoryServer
    • Discourse
    • DNSServer
    • Docker
    • Document Viewer
    • DokuWiki
    • DownloadStation
    • Drupal
    • GitLab
    • GlacierBackup
    • GLPI
    • HASP
    • HiDriveBackup
    • iTunesServer
    • Java
    • joomla
    • LimeSurvey
    • Load Balancer
    • Logitech Media Server
    • LXQt
    • Magento
    • MailServer
    • MailStation
    • MantisBT
    • MariaDB
    • MediaServer
    • MediaWiki
    • Moodle
    • Node.js
    • NoteStation
    • Odoo8
    • OpenERP
    • OrangeHRM
    • osCommerce
    • osTicket
    • PACS
    • PDF Viewer
    • PEAR
    • PhotoStation
    • phpBB
    • phpMyAdmin
    • Piwik
    • Podcast Generator
    • PrestaShop
    • Proxy Server
    • Python3
    • PythonModule
    • RadiusServer
    • Redmine
    • Ruby
    • Spreadsheet
    • SpreeCommerce
    • SSO Server
    • SugarCRM
    • Surveillance
    • TimeBackup
    • VideoStation
    • VPNCenter
    • vtigerCRM
    • web station
    • Webalizer
    • WordPress

安全性弱点摘要

Synology 在下面列出了扫描结果摘要。

严重性层级 已确认 潜在
5 0 1
4 0 0
3 10 2
2 6 1
1 1 4
总计 17 8

According to Qualy’s Severity Level Knowledge Base, vulnerabilities rated level 4 and level 5 are considered critical and could lead to unauthorized access to the system. All major DSM releases since DSM 5.2-5592 have been tested to ensure there are no vulnerabilities of these two levels. Level 1, level 2, and level 3 are considered lower in severity, Synology’s comments aside for risk management.

In addition, items listed in Potential Vulnerabilities were not fully identified as vulnerabilities and could be detected because of certain conditions necessary for vulnerability detection. Thus the severity of these items is considered relatively low.

安全性弱点

严重性层级 主题 端口 / 服务 批注
3 NFS Exported Filesystems List Vulnerability NFS This warning exists as long as NFS service is enabled. Synology NAS shall be safe if NFS rules are properly set, and if it may only be connected by specific IP addresses.
3 Mail Server Accepts Plaintext Credentials port 25/tcp It is to be compatible with clients with non-SSl/TLS connections.
3 POP3 Server Allows Plain Text Authentication Vulnerability port 110/tcp
3 Web Server Uses Plain-Text Form Based Authentication port 80/tcp HTTPS connection can be enabled to avoid this vulnerability.
3 port 9007/tcp
3 port 8000/tcp
3 port 7000/tcp
3 port 8800/tcp
3 port 9350/tcp
3 DNS Zone Transfer port 53/tcp DNS zone transfer is an option that can be disabled or enabled by users when needed.
2 Hidden RPC Services NFS This warning exists as long as NFS service is enabled. Synology NAS shall be safe if NFS rules are properly set, and if it may only be connected by specific IP addresses.
2 NFS RPC Services Listening on Non-Privileged Ports NFS This option is disabled by default. Users can enable this option to be compatible with Mac NFS system.
2 UDP Constant IP Identification Field Fingerprinting Vulnerability Kernel This vulnerability only exists in Linux kernel 2.4, but Synoloty NAS has upgraded to Linux kernel 2.6 and above. We are waiting for Qualys' reply for further clarification.
2 TCP Sequence Number Approximation Based Denial of Service This can be avoided by correctly configuring the firewall settings.
2 AutoComplete Attribute Not Disabled for Password in Form Based Authentication port 80/tcp Password auto-completion is allowed by default in the open source of Drupal, vtigerCRM, and phpMyAdmin.
2 port 443/tcp
1 Remote Management Service Accepting Unencrypted Credentials Detected port 30003/tcp TFTP is an option disabled by default and can also be configured in Control Panel > File Services > TFTP/PXE. It is recommanded that you use FTPS for better security.

潜在安全性弱点

严重性层级 主题 端口 / 服务 批注
5 Statd Format Bug Vulnerability Synology has confirmed that the NFS module implemented is version 1.2.1, the version much newer than the version required to addressing the issue.
3 OpenSSH "X SECURITY" Bypass Vulnerability port 22/tcp DSM does not support the GUI of X11, therefore the system is not affected by this vulnerability. Synology is in contact with Qualys to clarify of this warning.
3 port 5566/tcp
2 nlockmgr RPC Service Multiple Vulnerabilities Synology has confirmed that the NFS module implemented is version 1.2.1, the version much newer than the version required to addressing the issue.
1 Possible Scan Interference This issue is caused by setup and environment instead of DSM itself.
1 Postfix SMTP Log Denial of Service Vulnerability port 25/tcp Our Postfix version is 2.9.2, which is not included in the range of problematic versions.
1 port 465/tcp over SSL
1 port 587/tcp

扫描环境

  • 扫描软件: Qualysguard Vulnerability Management (VM)
  • DSM 版本: DSM 5.2 - 5589
  • 扫描日期: 2015/6/26
  • 准备作业: 本次扫描是以通过 Synology 安全咨询中心之企业模式验证的 DSM 为基础。
  • Scanner Version: 7.14.37-1
  • Vulnerability Signatures: 2.3.50-2
  • 已启动之套件清单: 显示
    • Antivirus Essential
    • Audio Station
    • CardDAV Server
    • Cloud Station
    • Cloud Station Client
    • Cloud Sync
    • Directory Server
    • DNS Server
    • Download Station
    • Glacier Backup
    • HiDrive Backup
    • iTunes Server
    • Java Manager
    • Mail Server
    • Mail Station
    • MariaDB
    • Media Server
    • Note Station
    • Photo Station
    • Proxy Server
    • Python Module
    • Radius Server
    • SSO Server
    • Surveillance Station
    • TimeBackup
    • Video Station
    • VPN Center

安全性弱点摘要

Synology 在下面列出了扫描结果摘要。

严重性层级 已确认 潜在
5 0 0
4 0 1
3 17 4
2 22 1
1 0 5
总计 39 11

According to Qualy’s Severity Level Knowledge Base, vulnerabilities rated level 4 and level 5 are considered critical and could lead to unauthorized access to the system. All major DSM releases since DSM 5.2-5592 have been tested to ensure there are no vulnerabilities of these two levels. Level 1, level 2, and level 3 are considered lower in severity, Synology’s comments aside for risk management.

In addition, items listed in Potential Vulnerabilities were not fully identified as vulnerabilities and could be detected because of certain conditions necessary for vulnerability detection. Thus the severity of these items is considered relatively low.

安全性弱点

严重性层级 主题 端口 / 服务 批注
3 Squid Proxy X509 Sever Certification Validation Bypass Vulnerability Proxy Server Synology Proxy Server does not support the feature that is being affected by the vulnerability on Squid Proxy X509 Sever, so this shall not raise such security issue.
3 Web Server Uses Plain-Text Form Based Authentication port 80/tcp
mail
HTTPS connection can be enabled to avoid this vulnerability.
3 Mail Server Accepts Plaintext Credentials port 25/tcp It is to be compatible with clients with non-SSl/TLS connections.
3 POP3 Server Allows Plain Text Authentication Vulnerability port 110/tcp
3 SSL/TLS use of weak RC4 cipher port 993/tcp over SSL
Mail Server (IMAPS)
Weak RC4 cipher is kept to ensure backward compatibility.
3 SSL Server Supports Weak Encryption Vulnerability port 636/tcp over SSL
LDAP
Weak encryption is kept for compatibility with other LDAP clients.
3 SSL/TLS use of weak RC4 cipher port 636/tcp over SSL
LDAP
Weak RC4 cipher is kept to ensure backward compatibility.
3 SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE) port 636/tcp over SSL
LDAP
SSLv3 is supported to be compatible with IBM Domino LDAP Server.
3 SSL Server Has SSLv3 Enabled Vulnerability port 636/tcp over SSL
LDAP
3 SSL/TLS use of weak RC4 cipher port 995/tcp over SSL Weak RC4 cipher is kept to ensure backward compatibility.
3 DNS Zone Transfer port 53/tcp
DNS server
DNS zone transfer is an option that can be disabled or enabled by users when needed.
3 SSL Server Supports Weak Encryption Vulnerability port 21/tcp over SSL
FTP
Weak RC4 cipher is kept to ensure backward compatibility.
3 SSL/TLS use of weak RC4 cipher port 21/tcp over SSL
FTP
3 SSL Server Supports Weak Encryption Vulnerability port 25/tcp over SSL
Mail Server (SMTP)
3 SSL/TLS use of weak RC4 cipher port 143/tcp over SSL
Mail Server (IMAP)
3 port 110/tcp over SSL
Mail Server (POP3)
3 NFS Exported Filesystems List Vulnerability NFS This warning exists as long as NFS service is enabled. Synology NAS shall be safe if NFS rules are properly set, and if it may only be connected by specific IP addresses.
2 SSL Certificate - Subject Common Name Does Not Match Server FQDN port 443/tcp over SSL This warning will not exist after system administrator signs an identified certificate.
2 port 993/tcp over SSL
2 port 636/tcp over SSL
2 port 995/tcp over SSL
2 port 8001/tcp over SSL
2 port 465/tcp over SSL
2 port 9351/tcp over SSL
2 port 5002/tcp over SSL
2 port 8801/tcp over SSL
2 port 9901/tcp over SSL
2 port 7001/tcp over SSL
2 port 9008/tcp over SSL
2 port 21/tcp over SSL
2 port 25/tcp over SSL
2 port 143/tcp over SSL
2 port 110/tcp over SSL
2 port 587/tcp over SSL
2 port 5006/tcp over SSL
2 Hidden RPC Services NFS This warning exists as long as NFS service is enabled. Synology NAS shall be safe if NFS rules are properly set, and if it may only be connected by specific IP addresses.
2 NFS RPC Services Listening on Non-Privileged Ports NFS This option is disabled by default. Users can enable this option to be compatible with Mac NFS system.
2 UDP Constant IP Identification Field Fingerprinting Vulnerability Kernel This vulnerability only exists in Linux kernel 2.4, but Synoloty NAS has upgraded to Linux kernel 2.6 and above. We are waiting for Qualys' reply for further clarification.
2 TCP Sequence Number Approximation Based Denial of Service port 111/21 This is an issue that could be avoided by applying firewall settings.

潜在安全性弱点

严重性层级 主题 端口 / 服务 批注
4 OpenRADIUS Divide By Zero Denial of Service Vulnerability port 1812/udp
RADIUS
Synology NAS does not apply the open-source solution OpenRADIUS. We are waiting for Qualys' reply for further clarification.
3 Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day port 50000/tcp Although Apache 2.2.3 is applied in DSM, this vulnerability has actually been addressed.
3 port 5002/tcp
3 Multiple Vendor Radius Short Vendor-Length Field Denial of Service Vulnerability port 1812/udp
RADIUS
This CVE only exists in FreeRADIUS version 0.3 and older versions. Synology Radius Server has upgraded to FreeRADIUS 2.2.5.
3 IETF RADIUS Dictionary Attack Vulnerability port 1812/udp
RADIUS
EAP-MD5 is supported for compatibility.
2 nlockmgr RPC Service Multiple Vulnerabilities NFS It is confirmed that the NFS module has been updated to a newer version addressing this vulnerability. We are waiting for further clarification from Qualys.
1 OpenLDAP Multiple Vulnerabilities LDAP Our OpenLDAP version is 2.4.40, which is not included in the range of problematic versions.
1 Postfix SMTP Log Denial of Service Vulnerability port 25/tcp
Mail Server
Our Postfix version is 2.9.2, which is not included in the range of problematic versions.
1 port 465/tcp over SSL
1 port 587/tcp
1 Possible Scan Interference This issue is caused by setup and environment instead of DSM itself.

下载完整报告

扫描环境

  • 扫描软件: Qualysguard Vulnerability Management (VM)
  • SRM 版本: SRM 1.1 - 6328
  • 扫描日期: 2016/7/4
  • 准备作业: 本次扫描是以通过 Synology 安全咨询中心之企业模式验证的 SRM 为基础。
  • Scanner Version: 8.2.18-1
  • Vulnerability Signatures: 2.3.329-2
  • 已启动之套件清单: 显示
    • Download Station
    • VPN Server
    • DNS Server
    • Radius Server
    • Media Server
    • Cloud Station
    • Intrusion Prevention
    • Perl

安全性弱点摘要

Synology 在下面列出了扫描结果摘要。

严重性层级 已确认 潜在
5 0 0
4 0 0
3 4 2
2 5 0
1 1 0
总计 10 2

According to Qualy’s Severity Level Knowledge Base, vulnerabilities rated level 4 and level 5 are considered critical and could lead to unauthorized access to the system. All major SRM releases have been tested to ensure there are no vulnerabilities of these two levels. Level 1, level 2, and level 3 are considered lower in severity, Synology’s comments aside for risk management.

安全性弱点

严重性层级 主题 端口 / 服务 批注
3 WINS Domain Controller Spoofing Vulnerability - Zero Day udp port 137
SMB / NETBIOS
It's the protocol design issue, and only affect users in NAT. It could be protected with proper firewall/routing table setting, so it will not be a problem in a well-protected environment.
3 NetBIOS Name Conflict Vulnerability udp port 137
SMB / NETBIOS
3 NetBIOS Release Vulnerability udp port 137
SMB / NETBIOS
3 DNS Zone Transfer port 53/tcp
DNS server
DNS zone transfer is an option that can be disabled or enabled by users themselves.
2 NetBIOS Name Accessible SMB / NETBIOS It's the protocol design issue, and only affect users in NAT. It could be protected with proper firewall/routing table setting, so it will not be a problem in a well-protected environment.
2 UDP Constant IP Identification Field Fingerprinting Vulnerabilit Kernel This vulnerability only exist in Linux kernel 2.4, but Synoloty NAS has upgraded to Linux kernel 2.6 and above. We are waiting for Qualys' reply for further clarification.
2 TCP Sequence Number Approximation Based Denial of Service port 111/21 This is an issue that can be avoided by firewall settings.
2 SSL Certificate - Subject Common Name Does Not Match Server FQDN port 443/tcp over SSL This waring will not exist after signing an identified certificate by the system administrator.
2 port 8001/tcp over SSL
1 ICMP Timestamp Request This issue is due to Qualys suggests not to filter all ICMP messages, as some of them are necessary for proper behavior of Operating System TCP/IP stacks. It could be avoided with proper firewall setting, so it will not be a problem in a well-protected environment.

潜在安全性弱点

严重性层级 主题 端口 / 服务 批注
3 OpenSSH Xauth Command Injection Vulnerability port 22/tcp SRM does not support the GUI of X11, therefore the system is not affected by this vulnerability. Synology is in contact with Qualys to clarify of this warning.
3 Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day port 8001/tcp
Web server
Although the version of Apache remains in 2.2.3 in SRM, this vulnerability has been addressed with individual fix.

下载完整报告

扫描环境

  • 扫描软件: Qualysguard Vulnerability Management (VM)
  • SRM 版本: SRM 1.0 - 5778
  • 扫描日期: 2015/10/21
  • 准备作业: 本次扫描是以通过 Synology 安全咨询中心之企业模式验证的 SRM 为基础。
  • Scanner Version: 7.16.38-1
  • Vulnerability Signatures: 2.3.128-3
  • 已启动之套件清单: 显示
    • Download Station
    • VPN Server
    • DNS Server
    • Radius Server
    • Media Server

安全性弱点摘要

Synology 在下面列出了扫描结果摘要。

严重性层级 已确认 潜在
5 0 0
4 0 0
3 1 2
2 2 0
1 0 0
总计 3 2

According to Qualy’s Severity Level Knowledge Base, vulnerabilities rated level 4 and level 5 are considered critical and could lead to unauthorized access to the system. All major SRM releases have been tested to ensure there are no vulnerabilities of these two levels. Level 1, level 2, and level 3 are considered lower in severity, Synology’s comments aside for risk management.

安全性弱点

严重性层级 主题 端口 / 服务 批注
3 DNS Zone Transfer port 53/tcp
DNS and BIND
DNS zone transfer is an option that can be disabled or enabled by users themselves.
2 UDP Constant IP Identification Field Fingerprinting Vulnerability TCP/IP This vulnerability only exist in Linux kernel 2.4, but SRM has upgraded to Linux kernel 3.6 and above. We are waiting for Qualys' reply for further clarification.
2 SSL Certificate - Subject Common Name Does Not Match Server FQDN port 8001/tcp over SSL
General remote services
This waring will not exist after signing an identified certificate by the system administrator.

潜在安全性弱点

严重性层级 主题 端口 / 服务 批注
3 Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day port 8000/tcp
Web server
Although the version of Apache remains in 2.2.3 in SRM, this vulnerability has been addressed with individual fix.
3 port 8001/tcp
Web server

下载完整报告