SOHOpelessly Broken 2.0

yes, but the note from the second table is strange:
The issues we reported to Synology (Session Fixation and the ability to Query Existence of Arbitrary Files) were included in this table.
But the Syno table row is empty.
There is still major security issue for low educated users - admin.
 
It looks like the Synology was not vulnerable to the items they were testing for in the table and they were unable to achieve root access. The two vulnerabilities they did find were reported and acknowledged by Synology.. It doesn't say if they were fixed however there have been a lot of vulnerability patches since DSM 6.1.5 which was released in Feb. So I would assume it has either been fixed or still being tracked on Synology Inc.
 
Last edited by a moderator:
It looks like the Synology was not vulnerable to the items they were testing for in the table and they were unable to achieve root access. The two vulnerabilities they did find were reported and acknowledged by Synology.. It doesn't say if they were fixed however there have been a lot of vulnerability patches since DSM 6.1.5 which was released in Feb. So I would assume it has either been fixed or still being tracked on Synology Inc.
yes, here is the clarification from the source <broken link>:
- the session fixation was about DS Photostation isue from June 2018 (fixed)
- and second one about File sharing, also from summer 2018, also fixed
Then the official document (SOHO vulnerabilities) is missing such details, that will clearly define:
- when was each single test passed (in case of Synology, before june 2018)
- when was the vulnerabilities disclosed to vendor (june 2018)
- when was assigned by vendor (november 2018)
- when was fixed by vendor.
Date of issuing the SOHO vulnerabilities doc is Sept 16th 2019. Then, there are unclear statements, which would look like current or still in live problems.

Follow my research:
- this vulnerability of Photo Station - link - was fixed by Synology from Photo Station ver 6.8.7-3481 in 2018, Synology link
- the second vulnerability was fixed by DSM from ver. 6.2.-23739-2 (summer 2018).

Summary:
I really don’t understand way in security report from September 2019 is unclear statement about such vulnerabilities, that was fixed more than 12 mont ago.
Here you can find CVE list for Synology, what is more useful.
 
yes, here is the clarification from the source <broken link>:
- the session fixation was about DS Photostation isue from June 2018 (fixed)
- and second one about File sharing, also from summer 2018, also fixed
Then the official document (SOHO vulnerabilities) is missing such details, that will clearly define:
- when was each single test passed (in case of Synology, before june 2018)
- when was the vulnerabilities disclosed to vendor (june 2018)
- when was assigned by vendor (november 2018)
- when was fixed by vendor.
Date of issuing the SOHO vulnerabilities doc is Sept 16th 2019. Then, there are unclear statements, which would look like current or still in live problems.

Follow my research:
- this vulnerability of Photo Station - link - was fixed by Synology from Photo Station ver 6.8.7-3481 in 2018, Synology link
- the second vulnerability was fixed by DSM from ver. 6.2.-23739-2 (summer 2018).

Summary:
I really don’t understand way in security report from September 2019 is unclear statement about such vulnerabilities, that was fixed more than 12 mont ago.
Here you can find CVE list for Synology, what is more useful.

Thanks for the CVE link I didn't think of checking that site, seems a bit odd that they didn't just say and makes me wonder when they actually did the testing.
 
Thanks for the CVE link I didn't think of checking that site, seems a bit odd that they didn't just say and makes me wonder when they actually did the testing.
The situation is maybe more than odd, reason:
- provider of the mentioned CVE records was guys from ISE = authors of the SOHO security reports, look here
Then the circle is closed.
Seems to be, we've read too old security report, that was issued just two days ago. Because in such security issues is everything older than 1 day - really old. Then value or trust of the report is low. Still regarding Synology, but we can expect all rest of information in such way. Maybe guys from ISE would like to clarify this point.
 
I can see some merit in publishing this report and give findings against the then test versions of software, even if bugs have been fixed in the interim.

Just look at the types of questions asked on forums and you can see that even engaged users of a product have vastly different levels of expertise in general computing and networking, and specifics about their equipment. This would indicate that there are many owners that are more passive in their management than they really should be. As such, the kit and may not have the most secure setup, be exposed due to use of convenience features, and OS and packages not updated to address at least security fixes.

Therefore, anything that highlights vulnerabilities (better published once patched) can help to raise awareness and hopefully get these reticent owners to seek help to maintain a secure device, and home setup.


My general concern regarding the Insecure of Things (IoT) was mentioned in the paper: these devices are/were produced for convenience and had little done to ensure that the devices were not themselves exposed to attack (leakage of data within the IoT's system and service) nor that the security of the local network environment was at risk due to IoT compromise (exploitable flaws giving a jump off point to LAN devices).


BTW did anyone notice that the table lists DS218j on DSM 6.1.5 yet at the end of the paper it mentions the rt2600ac (which would more likely have been on SRM 1.1).
 
@fredbert - totally agree.
It is still base of my frequently used topic about Mass market targeting vs easy setup vs awareness of users about risks of usage.
We can educate people in this forum, but there is still major problem - vendor responsibility for preparing of such initial setup, that will help non-educated user to make their system safe, e.g.:
- immediately and mandatory change the admin user to another user name, contains set of all possible characters. From first setup of new device.
- same for 2FA
- same for user control (block list initial setup for 2 failed attempts), except Local IP first time connected to setup of NAS
- etc.
It will help to newbies be in safe side.
 
Last edited:
My general concern regarding the Insecure of Things (IoT) was mentioned in the paper: these devices are/were produced for convenience and had little done to ensure that the devices were not themselves exposed to attack (leakage of data within the IoT's system and service) nor that the security of the local network environment was at risk due to IoT compromise (exploitable flaws giving a jump off point to LAN devices).
Indeed, this is one of the key concerns I look into every time I consider a “smart” home device (which often really is about providing internet connectivity on a device that is otherwise no different).

And I agree that there is merit to publishing work based on uncovered bugs that have since been fixed. After all, it would be highly irresponsible not to allow time for the manufacturers to fix the bugs first!
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top