yes, here is the clarification from the source:It looks like the Synology was not vulnerable to the items they were testing for in the table and they were unable to achieve root access. The two vulnerabilities they did find were reported and acknowledged by Synology.. It doesn't say if they were fixed however there have been a lot of vulnerability patches since DSM 6.1.5 which was released in Feb. So I would assume it has either been fixed or still being tracked on Synology Inc.
Thanks for the CVE link I didn't think of checking that site, seems a bit odd that they didn't just say and makes me wonder when they actually did the testing.yes, here is the clarification from the source:
- the session fixation was about DS Photostation isue from June 2018 (fixed)
- and second one about File sharing, also from summer 2018, also fixed
Then the official document (SOHO vulnerabilities) is missing such details, that will clearly define:
- when was each single test passed (in case of Synology, before june 2018)
- when was the vulnerabilities disclosed to vendor (june 2018)
- when was assigned by vendor (november 2018)
- when was fixed by vendor.
Date of issuing the SOHO vulnerabilities doc is Sept 16th 2019. Then, there are unclear statements, which would look like current or still in live problems.
Follow my research:
- this vulnerability of Photo Station - link - was fixed by Synology from Photo Station ver 6.8.7-3481 in 2018, Synology link
- the second vulnerability was fixed by DSM from ver. 6.2.-23739-2 (summer 2018).
I really don’t understand way in security report from September 2019 is unclear statement about such vulnerabilities, that was fixed more than 12 mont ago.
Here you can find CVE list for Synology, what is more useful.
The situation is maybe more than odd, reason:Thanks for the CVE link I didn't think of checking that site, seems a bit odd that they didn't just say and makes me wonder when they actually did the testing.
Indeed, this is one of the key concerns I look into every time I consider a “smart” home device (which often really is about providing internet connectivity on a device that is otherwise no different).My general concern regarding the Insecure of Things (IoT) was mentioned in the paper: these devices are/were produced for convenience and had little done to ensure that the devices were not themselves exposed to attack (leakage of data within the IoT's system and service) nor that the security of the local network environment was at risk due to IoT compromise (exploitable flaws giving a jump off point to LAN devices).