Synology Security Synology-SA-23:07 DSM

Currently reading
Synology Security Synology-SA-23:07 DSM

This and the other three security advisories posted at the same time would seem to point to that fact that we are all now being pushed to use the latest DSM and SRM. To summarise the responses.

OS versionVulnerability response… or this
DSM 7.2Fixed in version XYZ of 7.2
DSM 7.1Fixed in version XYZ of 7.1Will not fix
DSM 7.0Will not fix
DSM 6.2Will not fix
SRM 1.3Ongoing
SRM 1.2Will not fix

 
This and the other three security advisories posted at the same time would seem to point to that fact that we are all now being pushed to use the latest DSM and SRM. To summarise the responses.

OS versionVulnerability response… or this
DSM 7.2Fixed in version XYZ of 7.2
DSM 7.1Fixed in version XYZ of 7.1Will not fix
DSM 7.0Will not fix
DSM 6.2Will not fix
SRM 1.3Ongoing
SRM 1.2Will not fix

Saw this a few days ago and said to myself “well that’s one way off pushing people to get the latest software and buy x15 or better models”.

“will not fix” bumper sticker right there!
 
I've not looked further into the vulnerabilities, but it was the 'will not fix' even for DSM 7.1 that was a surprise. DSM 7.1 was a last update point for a few NAS models and to so quickly stop security patching seems a little premature. It sort of begs the question: why didn't Synology just cut those models out of DSM 7 completely?
 
I’m not sure they have released the details of the vulnerabilities and successful exploitations. It could be that just having access to the NAS means they are potentially at risk.

I was wondering if placing behind the proxy might afford a little protection from malformed requests. But I don’t think it will, especially if it the vulnerability is a weak routine that’s part of the security mechanism that is called by but isn’t part of the network interface per se.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Old thread notice: There have been no replies in this thread for quite some time. The last reply was on .
The content in this thread may no longer be relevant. It might be better to open a new thread instead.

Similar threads

Synology Security Synology-SA-24:02 DSM
A vulnerability allows remote authenticated users to conduct phishing attacks via a susceptible version of...
Replies
0
Views
498
Synology Security Synology-SA-24:01 DSM
I also noted that the initial remediation for all versions of DSM was to install DSM 7.2-64561. However, I...
Replies
6
Views
696
Synology Security Synology-SA-23:05 DSM
A vulnerability allows remote authenticated users to read arbitrary files via a susceptible version of...
Replies
0
Views
721
Synology Security Synology-SA-22:18 DSM
Multiple vulnerabilities allow remote attackers to read or write arbitrary files or remote authenticated...
Replies
0
Views
1,003
Synology Security Synology-SA-22:17 DSM
Seems like Synology has all but abandoned DSM6 well ahead of the promised date.
Replies
1
Views
1,021
Synology Security Synology-SA-22:03 DSM
DSM 7.0.1-42218 Update 3 resolves this for DSM 7 users. Released a few days ago.
Replies
2
Views
2,467
Synology Security Synology-SA-22:01 DSM
Was about to ask about that, really annoying that they appear to have this so screwed up, if I'm reading...
Replies
25
Views
3,572

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top