Synology - Bash Vulnerability "Shellshock"...

Senior Advisor

Synology - Bash Vulnerability "Shellshock"...

Hi All Synology Users,

 

Please take note of the follow vulnerability ...

 

https://www.synology.com/en-global/support/security/bash_shellshock

 


Synology Product Security Advisory

Synology is committed to customer safety and the ongoing security of our products. We allocate resources to fix and patch vulnerabilities as soon as they are discovered by internal tests, researchers, or customers.
Report Vulnerabilities

To report security issues that affect Synology products, please contact: security@synology.com

Please note that this e-mail address is used for monitoring potential product security issues. Generally speaking, we won’t reply to incoming e-mail messages unless further information is required. For technical support for Synology products, please visit our Support & Service section instead.
PGP Key Information

When you are reporting a vulnerability via e-mail, you can use Synology's Product Security PGP key to encrypt sensitive information.
Synology Product Security Updates

To protect users, Synology does not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities released. Once fixes are available, vulnerabilities shall be announced on Synology's official website.
Release Dates     Security Updates
9/26/2014     Important Information about Bash Vulnerability "ShellShock" (CVE-2014-6271 and CVE-2014-7169)
Description

A vulnerability of a commonly used UNIX command shell, Bash, has been discovered, allowing unauthorized users to remotely gain control of vulnerable UNIX-like systems. A thorough investigation by Synology shows the majority of Synology NAS servers will not be affected. The design of Synology NAS operating system, DiskStation Manager (DSM), is safe by default. The DSM built-in Bash command shell is reserved for system service use only (HA Manager) and not available to public users.
Affected Models

Synology has released critical updates to address this vulnerability. The applied models vary on different versions of DSM due to differences in implementation. We have confirmed that models which are not listed below are unaffected by this Bash vulnerability.

DSM 5.1 4977-1

    14-series: RS3614xs+, RS2414+, RS2414RP+, RS814+, RS814RP+, RS3614xs, RS3614RPxs
    13-series: DS2413+, DS713+, RS10613xs+, RS3413xs+, DS1813+, DS1513+
    12-series: DS1512+, DS1812+, DS3612xs, RS3412xs, RS3412RPxs, DS412+, RS812+, RS812RP+, RS2212+, RS2212RP+
    11-series: DS3611xs, RS3411xs, RS3411RPxs

DSM 5.0 4519-1

    15-series: DS415+

DSM 5.0 4493-7

    14-series: RS3614xs+, RS2414+, RS2414RP+, RS814+, RS814RP+, RS3614xs, RS3614RPxs
    13-series: DS2413+, DS713+, RS10613xs+, RS3413xs+, DS1813+, DS1513+
    12-series: DS1512+, DS1812+, DS3612xs, RS3412xs, RS3412RPxs, DS412+, RS812+, RS812RP+, RS2212+, RS2212RP+
    11-series: DS3611xs, RS3411xs, RS3411RPxs

DSM 4.3 3827-8

    14-series: RS3614xs+, RS2414+, RS2414RP+, RS814+, RS814RP+
    13-series: DS2413+, DS713+, RS10613xs+, RS3413xs+, DS1813+, DS1513+
    12-series: DS712+, DS1512+, DS1812+, DS3612xs, RS3412xs, RS3412RPxs, DS412+, RS812+, RS812RP+, RS2212+, RS2212RP+
    11-series: DS3611xs, RS3411xs, RS3411RPxs, DS2411+, RS2211+, RS2211RP+, DS1511+, DS411+II, DS411+
    10-series: DS1010+, RS810+, RS810RP+, DS710+

Resolution

If your Synology NAS server is one of the above models and an update is available, please go to DSM > Control Panel > Update & Restore> DSM Update (DSM > Control Panel > DSM Update if your Synology NAS is running DSM 4.3) and install the latest updates to protect your NAS from malicious attacks.
Description

A vulnerability of a commonly used UNIX command shell, Bash, has been discovered, allowing unauthorized users to remotely gain control of vulnerable UNIX-like systems. A thorough investigation by Synology shows the majority of Synology NAS servers will not be affected. The design of Synology NAS operating system, DiskStation Manager (DSM), is safe by default. The DSM built-in Bash command shell is reserved for system service use only (HA Manager) and not available to public users.
Affected Models

Synology has released critical updates to address this vulnerability. The applied models vary on different versions of DSM due to differences in implementation. We have confirmed that models which are not listed below are unaffected by this Bash vulnerability.

DSM 5.1 4977-1

    14-series: RS3614xs+, RS2414+, RS2414RP+, RS814+, RS814RP+, RS3614xs, RS3614RPxs
    13-series: DS2413+, DS713+, RS10613xs+, RS3413xs+, DS1813+, DS1513+
    12-series: DS1512+, DS1812+, DS3612xs, RS3412xs, RS3412RPxs, DS412+, RS812+, RS812RP+, RS2212+, RS2212RP+
    11-series: DS3611xs, RS3411xs, RS3411RPxs

DSM 5.0 4519-1

    15-series: DS415+

DSM 5.0 4493-7

    14-series: RS3614xs+, RS2414+, RS2414RP+, RS814+, RS814RP+, RS3614xs, RS3614RPxs
    13-series: DS2413+, DS713+, RS10613xs+, RS3413xs+, DS1813+, DS1513+
    12-series: DS1512+, DS1812+, DS3612xs, RS3412xs, RS3412RPxs, DS412+, RS812+, RS812RP+, RS2212+, RS2212RP+
    11-series: DS3611xs, RS3411xs, RS3411RPxs

DSM 4.3 3827-8

    14-series: RS3614xs+, RS2414+, RS2414RP+, RS814+, RS814RP+
    13-series: DS2413+, DS713+, RS10613xs+, RS3413xs+, DS1813+, DS1513+
    12-series: DS712+, DS1512+, DS1812+, DS3612xs, RS3412xs, RS3412RPxs, DS412+, RS812+, RS812RP+, RS2212+, RS2212RP+
    11-series: DS3611xs, RS3411xs, RS3411RPxs, DS2411+, RS2211+, RS2211RP+, DS1511+, DS411+II, DS411+
    10-series: DS1010+, RS810+, RS810RP+, DS710+

Resolution

If your Synology NAS server is one of the above models and an update is available, please go to DSM > Control Panel > Update & Restore> DSM Update (DSM > Control Panel > DSM Update if your Synology NAS is running DSM 4.3) and install the latest updates to protect your NAS from malicious attacks.

1 REPLY 1
Senior Advisor

Re: Synology - Bash Vulnerability "Shellshock"...

Other synology issues,

 

References:-

 

http://community.f-secure.com/t5/Security/Synolocker-file-decryption/td-p/56469

 

https://www.synology.com/en-global/support/security/SynoLocker

 

 

(( please take note, always go to www.synology.com website and under support click on Security Advirsory))

 

Report Vulnerabilities

To report security issues that affect Synology products, please contact: security@synology.com

Please note that this e-mail address is used for monitoring potential product security issues. Generally speaking, we won’t reply to incoming e-mail messages unless further information is required. For technical support for Synology products, please visit our Support & Service section instead.