Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

Synology Security Synology-SA-24:01 DSM

As an Amazon Associate, we may earn commissions from qualifying purchases. Learn more...

Well DSM 7.1 is subject to this vulnerability and the fix is only available in 7.2 which is not available for all NAS model… some NAS are stuck in 7.1 but still on a supported version of DSM 7.1. Hope they will provide a fix for 7.1
 
some NAS are stuck in 7.1
But seriously... Is this specific "vulnerability" really such a big deal? Is it likely to happen to you? How would that occur? What would be the specific consequence? Do you have the same concern for your phone? PC?

Just trying to keep things in perspective.
 
But seriously...
Do you have the same concern for your phone? PC?

Of course not !
I patch only if a vulnerability is discovered an even day of an odd month in a leap year.

😉
 
After reading about it, I spent time trying to determine if a new DSM had just come out, that I missed, and then, why this wasn't posted at the time 7,2 came out... ?
 
7.2 first came out last November 2023 I think.
My system is on Automatic update. It's never failed in 10+ years.
 
I also noted that the initial remediation for all versions of DSM was to install DSM 7.2-64561. However, I just checked the advisory page just now and DSM 6.2 and 7.1 remediation has been changed to 'ongoing'. So hopefully there will be a fix for this vulnerability within these DSM versions.

I also noted the vulnerability was stated as being from local users. It's not clear what 'local' means as it could mean users accessing from the local network, or it could be DSM local accounts (as opposed to directory accounts). My working assumption is that the vulnerability is exposed via authenticated (logged in) DSM local account users, regardless of from where they are accessing the NAS. There's no other information of how or which services/applications have the vulnerability, it says DSM so it could be limited to the Web interfaces (a malformed API call? for an already authenticated user?).

If you trust your users and enable stronger authentication methods then there it is probably [repeat probably] ok to wait for a fix.

1704900262509.webp
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Popular tags from this forum

Similar threads

Synology Security Synology-SA-24:27 DSM
A vulnerability allow remote attackers to conduct denial-of-service attacks. A vulnerability allow remote...
Replies
0
Views
176
The vulnerability reported in ZDI-CAN-25403 allows remote attackers to execute arbitrary code. The...
Replies
0
Views
1,469
The fixed DSM version of Media Server were released in September (DSM 7.2) and April (DSM 7.1). Only the...
Replies
1
Views
146
A vulnerability allows local users to execute arbitrary code. A vulnerability allows local users to...
Replies
0
Views
88
Those of you who use Surveillance Station as a motion event in SS Cameras... (Even though it's been...
Replies
1
Views
145
Multipe vulnerabilities allow remote attackers to execute arbitrary code or execute arbitrary commands on...
Replies
0
Views
144
The vulnerability reported in ZDI-CAN-25403 allows remote attackers to execute arbitrary code. The...
Replies
0
Views
229

Thread Tags

Tags Tags
dsm

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending content in this forum

Back
Top